You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/05/30 21:25:48 UTC
[Bug 62419] New: Avoid CORS Origin echoing by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=62419
Bug ID: 62419
Summary: Avoid CORS Origin echoing by default
Product: Tomcat 8
Version: 8.5.14
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: hauser@acm.org
Target Milestone: ----
As per a hint we got from network security of rub.de,
response.addHeader(
CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
"*");
is more secure than plain origin echoing.
Therefore, the easiest to get there might be to set the default of
cors.support.credentials = false ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62419] Avoid CORS Origin echoing by default
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62419
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
https://markmail.org/message/sv2kr463zhummdkd
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32
Reviewing r1831728, the docs needs to be updated to reflect those changes. I'll
get that done today.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62419] Avoid CORS Origin echoing by default
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62419
--- Comment #2 from Ralf Hauser <ha...@acm.org> ---
To easily test whether you are affected
curl -vsLH "Origin: http://evil.com" https://yourdomain.tld/ 2>&1 | grep -i
access-control
If you see "evil", then you are, if you see "*" you are not.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org