Skip to content

Commit

Permalink
Fix CORS header configs (#555)
Browse files Browse the repository at this point in the history
* add Access-Control-Allow-Credentials=true
* use real request origin instead of '*' to fill Access-Control-Allow-Origin, due to high security standards of modern browsers
  • Loading branch information
hadisfr committed Sep 21, 2024
1 parent 151b4c9 commit 615e043
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ public WebFilter corsFilter() {

final ServerHttpResponse response = ctx.getResponse();
final HttpHeaders headers = response.getHeaders();
fillCorsHeader(headers);
fillCorsHeader(headers, request);

if (request.getMethod() == HttpMethod.OPTIONS) {
response.setStatusCode(HttpStatus.OK);
Expand All @@ -33,8 +33,9 @@ public WebFilter corsFilter() {
};
}

public static void fillCorsHeader(HttpHeaders responseHeaders) {
responseHeaders.add("Access-Control-Allow-Origin", "*");
public static void fillCorsHeader(HttpHeaders responseHeaders, ServerHttpRequest request) {
responseHeaders.add("Access-Control-Allow-Origin", request.getHeaders().getOrigin());
responseHeaders.add("Access-Control-Allow-Credentials", "true");
responseHeaders.add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
responseHeaders.add("Access-Control-Max-Age", "3600");
responseHeaders.add("Access-Control-Allow-Headers", "Content-Type");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.springframework.boot.autoconfigure.web.WebProperties;
Expand All @@ -17,6 +18,7 @@
import org.springframework.context.ApplicationContext;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.ServerCodecConfigurer;
Expand Down Expand Up @@ -79,7 +81,7 @@ private Mono<ServerResponse> renderDefault(Throwable throwable, ServerRequest re
return ServerResponse
.status(ErrorCode.UNEXPECTED.httpStatus())
.contentType(MediaType.APPLICATION_JSON)
.headers(CorsGlobalConfiguration::fillCorsHeader)
.headers(headers(request))
.bodyValue(response);
}

Expand All @@ -94,7 +96,7 @@ private Mono<ServerResponse> render(CustomBaseException baseException, ServerReq
return ServerResponse
.status(errorCode.httpStatus())
.contentType(MediaType.APPLICATION_JSON)
.headers(CorsGlobalConfiguration::fillCorsHeader)
.headers(headers(request))
.bodyValue(response);
}

Expand Down Expand Up @@ -125,7 +127,7 @@ private Mono<ServerResponse> render(WebExchangeBindException exception, ServerRe
return ServerResponse
.status(HttpStatus.BAD_REQUEST)
.contentType(MediaType.APPLICATION_JSON)
.headers(CorsGlobalConfiguration::fillCorsHeader)
.headers(headers(request))
.bodyValue(response);
}

Expand All @@ -140,14 +142,20 @@ private Mono<ServerResponse> render(ResponseStatusException exception, ServerReq
return ServerResponse
.status(exception.getStatusCode())
.contentType(MediaType.APPLICATION_JSON)
.headers(CorsGlobalConfiguration::fillCorsHeader)
.headers(headers(request))
.bodyValue(response);
}

private String requestId(ServerRequest request) {
return request.exchange().getRequest().getId();
}

private Consumer<HttpHeaders> headers(ServerRequest request) {
return (HttpHeaders headers) -> {
CorsGlobalConfiguration.fillCorsHeader(headers, request.exchange().getRequest());
};
}

private BigDecimal currentTimestamp() {
return BigDecimal.valueOf(System.currentTimeMillis());
}
Expand Down

0 comments on commit 615e043

Please sign in to comment.