You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/05/30 21:25:48 UTC

[Bug 62419] New: Avoid CORS Origin echoing by default

https://bz.apache.org/bugzilla/show_bug.cgi?id=62419

            Bug ID: 62419
           Summary: Avoid CORS Origin echoing by default
           Product: Tomcat 8
           Version: 8.5.14
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: hauser@acm.org
  Target Milestone: ----

As per a hint we got from network security of rub.de,


              response.addHeader(
                    CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
                    "*");

is more secure than plain origin echoing.

Therefore, the easiest to get there might be to set the default of 
cors.support.credentials = false ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62419] Avoid CORS Origin echoing by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62419

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
https://markmail.org/message/sv2kr463zhummdkd
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32

Reviewing r1831728, the docs needs to be updated to reflect those changes. I'll
get that done today.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62419] Avoid CORS Origin echoing by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62419

--- Comment #2 from Ralf Hauser <ha...@acm.org> ---
To easily test whether you are affected

  curl -vsLH "Origin: http://evil.com" https://yourdomain.tld/ 2>&1  | grep -i
access-control

If you see "evil", then you are, if you see "*" you are not.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org