Hi, On Wed, Feb 24, 2021 at 6:37 PM Bruno Konik <[email protected]> wrote: > > Hello Simone, > > Thanks for your reply. > > Our application embeds a Jetty server which delivers web services that are > provided by a javascript library. The library is embedded by websites. Those > websites are authorized by the CORS header. While the server is running, it > is possible to add a new website. Until now, when doing so, we were stopping > and starting the server again. I would like a better way to do so avoiding > this restart. That's the reason. I would have imagined that changing the > CORS filter's list of authorized origins on the fly would not affect the > running requests working with the "old" list of origins but only the new > ones which would use the new list. > > So there is no way to properly "restart" a Filter while the server is > running ?
I'm not sure I understand your setup. If you "add a new website" you need to add a new ContextHandler, and with that a different instance of the CrossOriginFilter that you configure appropriately for the new website (and only for that one). If, instead, you have a single CrossOriginFilter for all the websites, there should be a place in the code where for an incoming request you figure out what "website" it should be dispatched to. Once that is figured out, you should be able to change the Access-Control-Allow-Origin header accordingly (for example in a filter _after_ the CrossOriginFilter). If you have a single CrossOriginFilter, adding "websites" to the list returned by the Access-Control-Allow-Origin header seems a leakage of information. An attacker that contacts http://foo.com gets back a response with Access-Control-Allow-Origin: http://foo.com, http://bar.com, so that it now knows there is another "website" at http://bar.com. Maybe it's not an issue in your case, but if you explain better your setup we may provide an alternative solution to your proposal (which I am not particularly keen to implement). -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
