include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example Java servlet framework: [source,java] ---- @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.setHeader("Content-Type", "text/plain; charset=utf-8"); resp.setHeader("Access-Control-Allow-Origin", "*"); // Sensitive resp.setHeader("Access-Control-Allow-Credentials", "true"); resp.setHeader("Access-Control-Allow-Methods", "GET"); resp.getWriter().write("response"); } ---- Spring MVC framework: * https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin] [source,java] ---- @CrossOrigin // Sensitive @RequestMapping("") public class TestController { public String home(ModelMap model) { model.addAttribute("message", "ok "); return "view"; } } ---- * https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration] [source,java] ---- CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); // Sensitive config.applyPermitDefaultValues(); // Sensitive ---- * https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration] [source,java] ---- class Insecure implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("*"); // Sensitive } } ---- User-controlled origin: [source,java] ---- public ResponseEntity userControlledOrigin(@RequestHeader("Origin") String origin) { HttpHeaders responseHeaders = new HttpHeaders(); responseHeaders.add("Access-Control-Allow-Origin", origin); // Sensitive return new ResponseEntity<>("content", responseHeaders, HttpStatus.CREATED); } ---- == Compliant Solution Java Servlet framework: [source,java] ---- @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.setHeader("Content-Type", "text/plain; charset=utf-8"); resp.setHeader("Access-Control-Allow-Origin", "trustedwebsite.com"); // Compliant resp.setHeader("Access-Control-Allow-Credentials", "true"); resp.setHeader("Access-Control-Allow-Methods", "GET"); resp.getWriter().write("response"); } ---- Spring MVC framework: * https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin] [source,java] ---- @CrossOrigin("trustedwebsite.com") // Compliant @RequestMapping("") public class TestController { public String home(ModelMap model) { model.addAttribute("message", "ok "); return "view"; } } ---- * https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration] [source,java] ---- CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("http://domain2.com"); // Compliant ---- * https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration] [source,java] ---- class Safe implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("safe.com"); // Compliant } } ---- User-controlled origin validated with an allow-list: [source,java] ---- public ResponseEntity userControlledOrigin(@RequestHeader("Origin") String origin) { HttpHeaders responseHeaders = new HttpHeaders(); if (trustedOrigins.contains(origin)) { responseHeaders.add("Access-Control-Allow-Origin", origin); } return new ResponseEntity<>("content", responseHeaders, HttpStatus.CREATED); } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) === on 13 Jan 2019, 22:57:44 Lars Svensson wrote: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter https://spring.io/blog/2015/06/08/cors-support-in-spring-framework https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/cors.html include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]