You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/09/22 18:05:00 UTC

[jira] [Created] (NIFI-9241) Review CORS Security Configuration

David Handermann created NIFI-9241:
--------------------------------------

             Summary: Review CORS Security Configuration
                 Key: NIFI-9241
                 URL: https://issues.apache.org/jira/browse/NIFI-9241
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core UI, Security
    Affects Versions: 1.14.0, 1.8.0
            Reporter: David Handermann
            Assignee: David Handermann


The NiFi Web Security Configuration includes a custom CORS Configuration Source that disallows HTTP POST requests for Template Uploads. The works as expected with direct access to the NiFi UI, but causes issues when attempting to upload a template to NiFi through a reverse proxy.

When a web browser sends a template upload request that includes an unexpected {{Origin}} header, the Spring CORS Filter returns HTTP 403 Forbidden with a response body containing the message {{Invalid CORS Request}}.  NIFI-6080 describes a workaround that involves setting a different {{Origin}} header.  The current approach as implemented in NIFI-5595 should be evaluated for potential improvements to avoid this behavior when running NiFi with a reverse proxy.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)