blob: d162fff53b19b7e5a47f44c995596c8be74a70fd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.http.filters.cors;
import com.google.inject.Inject;
import com.yahoo.jdisc.Response;
import com.yahoo.jdisc.handler.ContentChannel;
import com.yahoo.jdisc.handler.ResponseHandler;
import com.yahoo.jdisc.http.HttpResponse;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
import com.yahoo.yolean.chain.Provides;
import java.util.HashSet;
import java.util.Set;
import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
import static com.yahoo.jdisc.http.filters.cors.CorsLogic.createCorsPreflightResponseHeaders;
/**
* <p>
* This filter makes sure we respond as quickly as possible to CORS pre-flight requests
* which browsers transmit before the Hosted Vespa dashboard code is allowed to send a "real" request.
* </p>
* <p>
* An "Access-Control-Max-Age" header is added so that the browser will cache the result of this pre-flight request,
* further improving the responsiveness of the Hosted Vespa dashboard application.
* </p>
* <p>
* Runs after all standard security request filters, but before BouncerFilter, as the browser does not send
* credentials with pre-flight requests.
* </p>
*
* @author andreer
* @author gv
* @author bjorncs
*/
@Provides("CorsPreflightSecurityRequestFilter")
public class CorsPreflightSecurityRequestFilter implements SecurityRequestFilter {
private final Set<String> allowedUrls;
@Inject
public CorsPreflightSecurityRequestFilter(CorsSecurityFilterConfig config) {
this.allowedUrls = new HashSet<>(config.allowedUrls());
}
@Override
public void filter(DiscFilterRequest discFilterRequest, ResponseHandler responseHandler) {
String origin = discFilterRequest.getHeader("Origin");
if (!discFilterRequest.getMethod().equals(OPTIONS.name()))
return;
HttpResponse response = HttpResponse.newInstance(Response.Status.OK);
createCorsPreflightResponseHeaders(origin, allowedUrls)
.forEach(response.headers()::put);
ContentChannel cc = responseHandler.handleResponse(response);
cc.close(null);
}
}
|