Skip to content

Commit aebf6b2

Browse files
committed
Fix CORS header configs (#555)
* add Access-Control-Allow-Credentials=true * use real request origin instead of '*' to fill Access-Control-Allow-Origin, due to high security standards of modern browsers
1 parent 78d8aec commit aebf6b2

File tree

2 files changed

+16
-7
lines changed

2 files changed

+16
-7
lines changed

api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ public WebFilter corsFilter() {
2222

2323
final ServerHttpResponse response = ctx.getResponse();
2424
final HttpHeaders headers = response.getHeaders();
25-
fillCorsHeader(headers);
25+
fillCorsHeader(headers, request);
2626

2727
if (request.getMethod() == HttpMethod.OPTIONS) {
2828
response.setStatusCode(HttpStatus.OK);
@@ -33,8 +33,9 @@ public WebFilter corsFilter() {
3333
};
3434
}
3535

36-
public static void fillCorsHeader(HttpHeaders responseHeaders) {
37-
responseHeaders.add("Access-Control-Allow-Origin", "*");
36+
public static void fillCorsHeader(HttpHeaders responseHeaders, ServerHttpRequest request) {
37+
responseHeaders.add("Access-Control-Allow-Origin", request.getHeaders().getOrigin());
38+
responseHeaders.add("Access-Control-Allow-Credentials", "true");
3839
responseHeaders.add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
3940
responseHeaders.add("Access-Control-Max-Age", "3600");
4041
responseHeaders.add("Access-Control-Allow-Headers", "Content-Type");

api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
import java.util.Map;
1010
import java.util.Objects;
1111
import java.util.Set;
12+
import java.util.function.Consumer;
1213
import java.util.stream.Collectors;
1314
import java.util.stream.Stream;
1415
import org.springframework.boot.autoconfigure.web.WebProperties;
@@ -17,6 +18,7 @@
1718
import org.springframework.context.ApplicationContext;
1819
import org.springframework.core.Ordered;
1920
import org.springframework.core.annotation.Order;
21+
import org.springframework.http.HttpHeaders;
2022
import org.springframework.http.HttpStatus;
2123
import org.springframework.http.MediaType;
2224
import org.springframework.http.codec.ServerCodecConfigurer;
@@ -79,7 +81,7 @@ private Mono<ServerResponse> renderDefault(Throwable throwable, ServerRequest re
7981
return ServerResponse
8082
.status(ErrorCode.UNEXPECTED.httpStatus())
8183
.contentType(MediaType.APPLICATION_JSON)
82-
.headers(CorsGlobalConfiguration::fillCorsHeader)
84+
.headers(headers(request))
8385
.bodyValue(response);
8486
}
8587

@@ -94,7 +96,7 @@ private Mono<ServerResponse> render(CustomBaseException baseException, ServerReq
9496
return ServerResponse
9597
.status(errorCode.httpStatus())
9698
.contentType(MediaType.APPLICATION_JSON)
97-
.headers(CorsGlobalConfiguration::fillCorsHeader)
99+
.headers(headers(request))
98100
.bodyValue(response);
99101
}
100102

@@ -125,7 +127,7 @@ private Mono<ServerResponse> render(WebExchangeBindException exception, ServerRe
125127
return ServerResponse
126128
.status(HttpStatus.BAD_REQUEST)
127129
.contentType(MediaType.APPLICATION_JSON)
128-
.headers(CorsGlobalConfiguration::fillCorsHeader)
130+
.headers(headers(request))
129131
.bodyValue(response);
130132
}
131133

@@ -140,14 +142,20 @@ private Mono<ServerResponse> render(ResponseStatusException exception, ServerReq
140142
return ServerResponse
141143
.status(exception.getStatusCode())
142144
.contentType(MediaType.APPLICATION_JSON)
143-
.headers(CorsGlobalConfiguration::fillCorsHeader)
145+
.headers(headers(request))
144146
.bodyValue(response);
145147
}
146148

147149
private String requestId(ServerRequest request) {
148150
return request.exchange().getRequest().getId();
149151
}
150152

153+
private Consumer<HttpHeaders> headers(ServerRequest request) {
154+
return (HttpHeaders headers) -> {
155+
CorsGlobalConfiguration.fillCorsHeader(headers, request.exchange().getRequest());
156+
};
157+
}
158+
151159
private BigDecimal currentTimestamp() {
152160
return BigDecimal.valueOf(System.currentTimeMillis());
153161
}

0 commit comments

Comments
 (0)