Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False #407

chopki · 2021-02-25T14:44:22Z

CF 2016 / Taffy 3.1 / Java 15.0.1

Line 249 in 3cefedf

    
           <cfif structKeyExists(_taffyRequest.headers, "origin") AND (application._taffy.settings.allowCrossDomain eq true or len(application._taffy.settings.allowCrossDomain) gt 0)>

When running an API that had only some resources available for CORS setting the global allowCrossDomain = false caused Access-Control-Allow-Headers to be output twice as i was sorting the cors like the below.

Presumably the line of code in the api.cfc is set up to check the length of allowCrossDomain as you can put in a list of domains, but with false also being treated as a string it also then passes this check.

Its not a huge issues and the workaround was to set allowCrossDomain to an empty string - Running taffy 3.1.

	<cffunction name="options">
		<cfset var loc = {} >

		<cfset loc.headers = {
			"Access-Control-Allow-Origin" = "*"
			,"Access-Control-Allow-Headers" = "Origin,Authorization,X-CSRF-Token,X-Requested-With,Content-Type,X-HTTP-Method-Override,Accept,Referrer,User-Agent,X-Custom-Header"
		}>
		
		<cfreturn
			noData()
			.withHeaders(loc.headers)
		/>
	</cffunction>

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False #407

Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False #407

chopki commented Feb 25, 2021

Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False #407

Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False #407

Comments

chopki commented Feb 25, 2021