Comprehensive strategy for securing Origins in web transports [SPR-12316] #16921
Description
Brian Clozel opened SPR-12316 and commented
Several supported protocols and use cases need a more comprehensive strategy for securing endpoints based on HTTP Origins (i.e. not allow all 3rd party domains as origins for requests).
- default use case with SockJS - should all Origins be allowed, or should we enforce a single origin policy?
- supporting a central way to configure CORS in spring-mvc
- supporting ways to disable altogether or configure origin security in SockJS
- documenting those features and/or security caveats in the reference documentation
Sub-tasks:
- Add Simple way of whitelisting origin [SPR-12226] #16841 Add Simple way of whitelisting origin
- No option to disable automatic addition of CORS header by Spring SockJS module [SPR-12283] #16888 No option to disable automatic addition of CORS header by Spring SockJS module
- Consider adding a "Vary":"Origin" HTTP response header in SockJS implementation [SPR-12310] #16915 Consider adding a "Vary":"Origin" HTTP response header in SockJS implementation
Issue Links:
- CORS support [SPR-9278] #13916 CORS support