diff options
| author | Valerij Fredriksen <freva@users.noreply.github.com> | 2021-01-25 16:42:34 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-25 16:42:34 +0100 |
| commit | 134a556ff6a42b72ebb970c1c417a9f55cf96c8f (patch) | |
| tree | e67d6bcee5a9b7732ca9c7b1f76cfeda87a15942 | |
| parent | 748d3108a4167023c450fd5d951826de3dcb0dfb (diff) | |
| parent | 9cca3eba79c5baef6e887fd86b7b7c01b8678e79 (diff) | |
Merge pull request #16205 from vespa-engine/freva/cors
Add Vary header to CORS filters
3 files changed, 12 insertions, 19 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java index 54bc6239cf5..185984deeec 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java @@ -1,10 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.filter.security.cors; -import com.google.common.collect.ImmutableMap; - import java.time.Duration; -import java.util.Collections; import java.util.Map; import java.util.Set; import java.util.TreeMap; @@ -15,20 +12,21 @@ import java.util.TreeMap; class CorsLogic { private CorsLogic() {} - static final String CORS_PREFLIGHT_REQUEST_CACHE_TTL = Long.toString(Duration.ofDays(7).getSeconds()); + static final String CORS_PREFLIGHT_REQUEST_CACHE_TTL = Long.toString(Duration.ofDays(7).getSeconds()); static final String ALLOW_ORIGIN_HEADER = "Access-Control-Allow-Origin"; - static final Map<String, String> ACCESS_CONTROL_HEADERS = ImmutableMap.of( + static final Map<String, String> ACCESS_CONTROL_HEADERS = Map.of( "Access-Control-Max-Age", CORS_PREFLIGHT_REQUEST_CACHE_TTL, "Access-Control-Allow-Headers", "Origin,Content-Type,Accept,Yahoo-Principal-Auth,Okta-Identity-Token,Okta-Access-Token,Okta-Refresh-Token", - "Access-Control-Allow-Methods", "OPTIONS,GET,PUT,DELETE,POST", - "Access-Control-Allow-Credentials", "true" + "Access-Control-Allow-Methods", "OPTIONS,GET,PUT,DELETE,POST,PATCH", + "Access-Control-Allow-Credentials", "true", + "Vary", "Origin" ); static Map<String, String> createCorsResponseHeaders(String requestOriginHeader, Set<String> allowedOrigins) { - if (requestOriginHeader == null) return Collections.emptyMap(); + if (requestOriginHeader == null) return Map.of(); TreeMap<String, String> headers = new TreeMap<>(); allowedOrigins.stream() .filter(allowedUrl -> matchesRequestOrigin(requestOriginHeader, allowedUrl)) diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java index 6e14cbe8ac2..1178ec922b2 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java @@ -10,7 +10,6 @@ import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; import com.yahoo.yolean.chain.Provides; -import java.util.HashSet; import java.util.Set; import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS; @@ -18,15 +17,14 @@ import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS; /** * <p> * This filter makes sure we respond as quickly as possible to CORS pre-flight requests - * which browsers transmit before the Hosted Vespa dashboard code is allowed to send a "real" request. + * which browsers transmit before the Hosted Vespa console code is allowed to send a "real" request. * </p> * <p> * An "Access-Control-Max-Age" header is added so that the browser will cache the result of this pre-flight request, - * further improving the responsiveness of the Hosted Vespa dashboard application. + * further improving the responsiveness of the Hosted Vespa console. * </p> * <p> - * Runs after all standard security request filters, but before BouncerFilter, as the browser does not send - * credentials with pre-flight requests. + * Runs after before any security request filters to avoid CORS errors. * </p> * * @author andreer @@ -39,18 +37,16 @@ public class CorsPreflightRequestFilter implements SecurityRequestFilter { @Inject public CorsPreflightRequestFilter(CorsFilterConfig config) { - this.allowedUrls = new HashSet<>(config.allowedUrls()); + this.allowedUrls = Set.copyOf(config.allowedUrls()); } @Override public void filter(DiscFilterRequest discFilterRequest, ResponseHandler responseHandler) { - String origin = discFilterRequest.getHeader("Origin"); - if (!discFilterRequest.getMethod().equals(OPTIONS.name())) return; HttpResponse response = HttpResponse.newInstance(Response.Status.OK); - + String origin = discFilterRequest.getHeader("Origin"); CorsLogic.createCorsPreflightResponseHeaders(origin, allowedUrls) .forEach(response.headers()::put); diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilter.java index d0b9e4ce7c9..96f134db886 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilter.java @@ -8,7 +8,6 @@ import com.yahoo.jdisc.http.filter.RequestView; import com.yahoo.jdisc.http.filter.SecurityResponseFilter; import com.yahoo.yolean.chain.Provides; -import java.util.HashSet; import java.util.Set; @@ -24,7 +23,7 @@ public class CorsResponseFilter extends AbstractResource implements SecurityResp @Inject public CorsResponseFilter(CorsFilterConfig config) { - this.allowedUrls = new HashSet<>(config.allowedUrls()); + this.allowedUrls = Set.copyOf(config.allowedUrls()); } @Override |