dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 17850: minor CORS preflight fix

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 30 Dec 2014 22:34:25 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 17850
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2014-12-30 23:33:23 +0100
message:
  minor CORS preflight fix
modified:
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 22:08:20 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 22:33:23 +0000
@@ -54,6 +54,8 @@
 
     public static final String CORS_ALLOW_HEADERS = "Access-Control-Allow-Headers";
 
+    public static final String CORS_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
+
     public static final String CORS_REQUEST_HEADERS = "Access-Control-Request-Headers";
 
     public static final String CORS_ALLOW_METHODS = "Access-Control-Allow-Methods";
@@ -66,7 +68,7 @@
 
     private static final String ALLOWED_HEADERS = "Accept, Content-Type, Authorization, X-Requested-With";
 
-    private static final Integer MAX_AGE = 60 * 60;
+    private static final Integer MAX_AGE = 60 * 60; // 1hr max-age
 
     @Override
     public void doFilter( ServletRequest req, ServletResponse res, FilterChain filterChain ) throws IOException, ServletException
@@ -79,12 +81,13 @@
 
         response.addHeader( CORS_ALLOW_CREDENTIALS, "true" );
         response.addHeader( CORS_ALLOW_ORIGIN, origin );
-        response.addHeader( CORS_ALLOW_METHODS, ALLOWED_METHODS );
-        response.addHeader( CORS_MAX_AGE, String.valueOf( MAX_AGE ) );
-        response.addHeader( CORS_ALLOW_HEADERS, ALLOWED_HEADERS );
 
         if ( isPreflight( request ) )
         {
+            response.addHeader( CORS_ALLOW_METHODS, ALLOWED_METHODS );
+            response.addHeader( CORS_ALLOW_HEADERS, ALLOWED_HEADERS );
+            response.addHeader( CORS_MAX_AGE, String.valueOf( MAX_AGE ) );
+
             response.setStatus( HttpServletResponse.SC_NO_CONTENT );
             return; // CORS preflight requires a 2xx status code, so we need to short-circuit the filter chain here
         }