AbstractSockJsService.checkAndAddCorsHeaders fails for same origin requests when setAllowedOrigins is set [SPR-12660]

[spring-projects-issues]

Rob Winch opened SPR-12660 and commented

If the StompEndpointRegistry.setAllowedOrigins does not contain "*", then any requests made from the same domain will be rejected (i.e. it is only possible for an external domain to work).

This is due to the fact that that if a request made from the same domain, the browser does not add the "Origin" header. That means that checkAndAddCorsHeaders will reject the request.

---

Affects: 4.1.4

Reference URL: https://github.com/spring-projects/spring-framework/blob/v4.1.4.RELEASE/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java#L427

Issue Links:

• Add Simple way of whitelisting origin [SPR-12226] #16841 Add Simple way of whitelisting origin
• Javascript error with SockJS when using iframe-htmlfile + IE8 [SPR-12698] #17295 Javascript error with SockJS when using iframe-htmlfile + IE8
• Add CSP 1.1 frame-ancestors support [SPR-12699] #17296 Add CSP 1.1 frame-ancestors support
• Add same origin support to SockJS and WebSocket [SPR-12697] #17294 Add same origin support to SockJS and WebSocket

Referenced from: commits cc78d40, 9b3319b

0 votes, 5 watchers

[spring-projects-issues]

Sébastien Deleuze commented

Rob Winch Could you please have a look to this fix and send me your feedback? In addition to AbstractSockJsService.checkAndAddCorsHeaders(), I also modified OriginHandshakeInterceptor.
With the new behavior, the request succeeds when no Origin request header is found, regardless of the allowedOrigins property.

Please also notice that browsers are not consistent with Origin headers for same origin requests. For example in my tests based on spring-websocket-portfolio, Chrome set the Origin header for same origin Ajax requests, but Firefox does not. Thats means that you can't rely on the Origin request header to know if this is a cross or same origin request. As a consequence, IMO when you do not want to restrict allowed origins, * remains the only relevant default value. Do you agree ?

[spring-projects-issues]

Sébastien Deleuze commented

Resolved in master with this commit that implements the following changes:

• Requests without Origin header are not rejected anymore
• Disable Iframe when allowedOrigins is not empty and not equals to *
• The Iframe is not cached anymore in order to have a reliable origin check
• allowedOrigins must not be null or empty
• allowedOrigins format is now validated (should be * or start by http(s)://)

Juergen Hoeller It is ready to be merged in the 4.1.x branch.