summaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java
diff options
context:
space:
mode:
Diffstat (limited to 'jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java')
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java14
1 files changed, 5 insertions, 9 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java
index 6e14cbe8ac2..1178ec922b2 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilter.java
@@ -10,7 +10,6 @@ import com.yahoo.jdisc.http.filter.DiscFilterRequest;
import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
import com.yahoo.yolean.chain.Provides;
-import java.util.HashSet;
import java.util.Set;
import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
@@ -18,15 +17,14 @@ import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
/**
* <p>
* This filter makes sure we respond as quickly as possible to CORS pre-flight requests
- * which browsers transmit before the Hosted Vespa dashboard code is allowed to send a "real" request.
+ * which browsers transmit before the Hosted Vespa console code is allowed to send a "real" request.
* </p>
* <p>
* An "Access-Control-Max-Age" header is added so that the browser will cache the result of this pre-flight request,
- * further improving the responsiveness of the Hosted Vespa dashboard application.
+ * further improving the responsiveness of the Hosted Vespa console.
* </p>
* <p>
- * Runs after all standard security request filters, but before BouncerFilter, as the browser does not send
- * credentials with pre-flight requests.
+ * Runs after before any security request filters to avoid CORS errors.
* </p>
*
* @author andreer
@@ -39,18 +37,16 @@ public class CorsPreflightRequestFilter implements SecurityRequestFilter {
@Inject
public CorsPreflightRequestFilter(CorsFilterConfig config) {
- this.allowedUrls = new HashSet<>(config.allowedUrls());
+ this.allowedUrls = Set.copyOf(config.allowedUrls());
}
@Override
public void filter(DiscFilterRequest discFilterRequest, ResponseHandler responseHandler) {
- String origin = discFilterRequest.getHeader("Origin");
-
if (!discFilterRequest.getMethod().equals(OPTIONS.name()))
return;
HttpResponse response = HttpResponse.newInstance(Response.Status.OK);
-
+ String origin = discFilterRequest.getHeader("Origin");
CorsLogic.createCorsPreflightResponseHeaders(origin, allowedUrls)
.forEach(response.headers()::put);