You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Nicola Ferraro (JIRA)" <ji...@apache.org> on 2017/03/01 10:48:45 UTC
[jira] [Created] (CAMEL-10913) CORS header
Access-Control-Allow-Credentials not managed correctly
Nicola Ferraro created CAMEL-10913:
--------------------------------------
Summary: CORS header Access-Control-Allow-Credentials not managed correctly
Key: CAMEL-10913
URL: https://issues.apache.org/jira/browse/CAMEL-10913
Project: Camel
Issue Type: Bug
Components: camel-http-common
Reporter: Nicola Ferraro
When a browser uses the "withCredentials" flag (not visible in HTTP request headers), it accepts the response only if the "Access-Control-Allow-Credentials" header returned by the server is set to "true".
That header is not part of Camel standard cors headers, but it can be set in the route. The problem is that when "Access-Control-Allow-Credentials" is set to "true", the "Access-Control-Allow-Origin" header cannot be set to "*", which is our default (https://www.w3.org/TR/cors/ - section 6.1, point 3).
Setting a value for the "Access-Control-Allow-Origin" header equals to the "Origin" header of the request makes the trick, but this must be set per-route, and *CORS must be disabled*.
Eg.
{code}
// do not enable cors
rest().get("/hello")
.route()
.to("direct:handle")
.setHeader("Access-Control-Allow-Credentials", constant("true"))
.setHeader("Access-Control-Allow-Origin", header("Origin"));
{code}
Otherwise the only option is setting a fixed allowed origin if you know it in advance.
I wonder if we should add e.g. a ".corsAllowCredentials(boolean)" configuration to handle this situation correctly, or another flag to reflect the origin instead of returning "*".
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)