-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not support any Origin by default if CORS is enabled #29692
Conversation
This comment has been minimized.
This comment has been minimized.
Sorry, will clean it up, I thought I knew which tests could be affected |
fb24934
to
cf3c09a
Compare
This comment has been minimized.
This comment has been minimized.
cf3c09a
to
5608d91
Compare
5608d91
to
ca0d4c8
Compare
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on the principle here; Enabling CORS should not have * by default given we apply #29626 so same origin still works.
Would prefer if @stuartwdouglas or @cescoffier verifies the implementation beyond just me.
Thanks @maxandersen, sure, as commented in the other issue, Stuart's same origin check fix is a better version of |
ca0d4c8
to
cb74a62
Compare
This comment has been minimized.
This comment has been minimized.
extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java
Outdated
Show resolved
Hide resolved
cb74a62
to
e85bea0
Compare
Boolean all origins value is introduced as requested
Hi @stuartwdouglas I'll go ahead with the merge tomorrow if you don't have other comments, thanks |
Migration guide has been updated: https://github.com/quarkusio/quarkus/wiki/Migration-Guide-2.16#no-wildcard-origin-support-by-default-for-cors-filter |
If CORS is enabled then the users have to take an action and enable the wildcard if they really need to, as opposed to Quarkus doing it by default. This update will hopefully encourage users take CORS configuration more seriously.
DevUI is not expected to be affected.
Note I'm adding the wildcard to the tests to have them passing again, which also shows that the users who need a wildcard will only have to add one more property.
The migration guide update will follow.