Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-2695

[Docs] Document the CORS configuration change that is required to the CVE fix in CORS as breaking change

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • 2.13-Fireball.GA
    • None
    • team/docs
    • None
    • 5
    • Hide
      == Stricter CORS filter for same-origin requests

      With this update, the Vert.x cross-origin resource sharing (CORS) filter, Vert.x HTTP CORS, is stricter and denies same-origin requests when the filter has not been explicitly configured to accept such origins.

      For example, if you host a {ProductName} application on `https://my.org` that includes an HTML page, which contains JavaScript that posts updates back to `https://my.org`, you need to apply the following configuration in the `application.properties` file to allow same-origin requests:

      ----
      quarkus.http.cors=true
      quarkus.http.cors.origins=https://my.org
      ----

      Before this update, configuring the Vert.x HTTP CORS filter to allow the same host origins was not necessary.
      Show
      == Stricter CORS filter for same-origin requests With this update, the Vert.x cross-origin resource sharing (CORS) filter, Vert.x HTTP CORS, is stricter and denies same-origin requests when the filter has not been explicitly configured to accept such origins. For example, if you host a {ProductName} application on ` https://my.org ` that includes an HTML page, which contains JavaScript that posts updates back to ` https://my.org `, you need to apply the following configuration in the `application.properties` file to allow same-origin requests: ---- quarkus.http.cors=true quarkus.http.cors.origins= https://my.org ---- Before this update, configuring the Vert.x HTTP CORS filter to allow the same host origins was not necessary.
    • Proposed
    • ?
    • ---

    Description

      SME: sbiarozk

      The fix to CVE-2022-4714 required the introduction of stricter filtering rules for HTTP requests in Cross-origin resource sharing (CORS).

      Quoting the explanation of the impact of this change on user experience from Sergey's email:

      Vert.x HTTP CORS Filter is now extra strict and denies same Origin requests if the browser has decided to include Origin and the filter has not been told explicitly to accept such same host Origin. The browser should not be even adding Origin for the same Origin requests, but looks like it does so for non-idempotent methods like POST.

      We need to document how to add the Origin domain to the application configuration, so that the CORS request filter does not block requests made form the origin domain in certain use cases.
      For a more detailed explanation, please reach out to Sergey.

      Attachments

        Activity

          People

            mmaler@redhat.com Michal Maléř
            ssitani Stefan Sitani
            Michal Vavrik Michal Vavrik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: