Author: markt Date: Thu May 31 09:44:21 2018 New Revision: 1832592 URL: http://svn.apache.org/viewvc?rev=1832592&view=rev Log: Update docs after changes for CVE-2018-8014
Modified: tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java tomcat/trunk/webapps/docs/config/filter.xml Modified: tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1832592&r1=1832591&r2=1832592&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java (original) +++ tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java Thu May 31 09:44:21 2018 @@ -1060,7 +1060,7 @@ public class CorsFilter extends GenericF // ------------------------------------------------ Configuration Defaults /** - * By default, all origins are allowed to make requests. + * By default, no origins are allowed to make requests. */ public static final String DEFAULT_ALLOWED_ORIGINS = ""; @@ -1076,7 +1076,7 @@ public class CorsFilter extends GenericF public static final String DEFAULT_PREFLIGHT_MAXAGE = "1800"; /** - * By default, support credentials is turned on. + * By default, support credentials is disabled. */ public static final String DEFAULT_SUPPORTS_CREDENTIALS = "false"; Modified: tomcat/trunk/webapps/docs/config/filter.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1832592&r1=1832591&r2=1832592&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/filter.xml (original) +++ tomcat/trunk/webapps/docs/config/filter.xml Thu May 31 09:44:21 2018 @@ -130,7 +130,7 @@ specified to enable access to resource from any origin. Otherwise, a whitelist of comma separated origins can be provided. Eg: <code> http://www.w3.org, https://www.apache.org</code>. - <strong>Defaults:</strong> <code>*</code> (Any origin is allowed to + <strong>Defaults:</strong> The empty String. (No origin is allowed to access the resource).</p> </attribute> <attribute name="cors.allowed.methods" required="false"> @@ -171,7 +171,7 @@ <code>Access-Control-Allow-Credentials</code> header in a pre-flight response. It helps browser determine whether or not an actual request can be made using credentials. <strong>Defaults:</strong> - <code>true</code></p> + <code>false</code></p> </attribute> <attribute name="cors.request.decorate" required="false"> <p>A flag to control if CORS specific attributes should be added to --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org