Loading...

XML

Word

Printable

Type: Task
Resolution: Done
Priority: Major
Fix Version/s: 2.13-Fireball.GA
Affects Version/s: None
Component/s: team/docs
Labels:
None

Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
[Docs]: Release notes for RHBQ (Fireball)
Release Note Text:

Hide
== Stricter CORS filter for same-origin requests

With this update, the Vert.x cross-origin resource sharing (CORS) filter, Vert.x HTTP CORS, is stricter and denies same-origin requests when the filter has not been explicitly configured to accept such origins.

For example, if you host a {ProductName} application on `https://my.org` that includes an HTML page, which contains JavaScript that posts updates back to `https://my.org`, you need to apply the following configuration in the `application.properties` file to allow same-origin requests:

----
quarkus.http.cors=true
quarkus.http.cors.origins=https://my.org
----

Before this update, configuring the Vert.x HTTP CORS filter to allow the same host origins was not necessary.

Show
== Stricter CORS filter for same-origin requests With this update, the Vert.x cross-origin resource sharing (CORS) filter, Vert.x HTTP CORS, is stricter and denies same-origin requests when the filter has not been explicitly configured to accept such origins. For example, if you host a {ProductName} application on ` https://my.org ` that includes an HTML page, which contains JavaScript that posts updates back to ` https://my.org `, you need to apply the following configuration in the `application.properties` file to allow same-origin requests: ---- quarkus.http.cors=true quarkus.http.cors.origins= https://my.org ---- Before this update, configuring the Vert.x HTTP CORS filter to allow the same host origins was not necessary.
Release Note Status:
Proposed
Doc Commitment:
?
[QE] How to address?:
---
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

The fix to CVE-2022-4714 required the introduction of stricter filtering rules for HTTP requests in Cross-origin resource sharing (CORS).

Quoting the explanation of the impact of this change on user experience from Sergey's email:

Vert.x HTTP CORS Filter is now extra strict and denies same Origin requests if the browser has decided to include Origin and the filter has not been told explicitly to accept such same host Origin. The browser should not be even adding Origin for the same Origin requests, but looks like it does so for non-idempotent methods like POST.

We need to document how to add the Origin domain to the application configuration, so that the CORS request filter does not block requests made form the origin domain in certain use cases.
For a more detailed explanation, please reach out to Sergey.

mentioned on

Merge request - QUARKUS-2370 [Docs]: Document known issues in 2.13

Merge request - QUARKUS-2695-Fireball-KI-CORS-filtter-are-stricter

Assignee:: Michal Maléř

Reporter:: Stefan Sitani (Inactive)

Tester:: Michal Vavrik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2022/12/02 1:23 PM

Updated:: 2022/12/27 9:47 AM

Resolved:: 2022/12/11 10:37 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates