Should I send an Access-Control-Allow-Origin header for invalid sources in the actual request after an OPTIONS request?

Question

Should I send an Access-Control-Allow-Origin header for invalid sources in the actual request after an OPTIONS request?

I have a general idea of how this works. I return the same value "ORIGIN" if the request header "origin" is valid (allowed)

But I do not know:

For the actual request following the OPTIONS request, do I need to include the same Access-Control-Allow-Origin header that I returned to the client to request the preflight check? Should the server code do this only if the "ORIGIN" header is present in the actual request? (in the code below I did not check whether the request is an OPTIONS / preflight request or actual, I assume that the same code can be applied to both without harm).

(In more detail, because the “Access-Control-Allow-Origin” header value in the response should not be a wildcard character “*” when the request credential mode “turns on”, “therefore I need the ORIGIN value from the request to return to answer.

What do I need to return if ORIGIN is not allowed?
not including the Access-Control-Allow-Origin header at all?
or setHeader ("Access-Control-Allow-Origin", ""), or setHeader ("Access-Control-Allow-Origin", "null")?

public class CORSResponseFilter implements ContainerResponseFilter {

@Override
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
    MultivaluedMap<String, Object> headers = responseContext.getHeaders();

    String origin = requestContext.getHeaderString("Origin"); 


String origin = requestContext.getHeaderString("Origin");

    URL originUrl = null;
    try {
        if (StringUtils.hasText(origin)) {
            originUrl = new URL(origin);

            Pattern hostAllowedPattern = Pattern.compile("(.+\\.)*mydomain\\.com", Pattern.CASE_INSENSITIVE);

            if (hostAllowedPattern.matcher(originUrl.getHost()).matches()) {
                headers.add("Access-Control-Allow-Origin", origin);
            } else {
                headers.add("Access-Control-Allow-Origin", "");
            }
            headers.add("Vary", "Origin");
        }

        headers.add("Access-Control-Allow-Credentials", "true");
        headers.add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT");
        headers.add("Access-Control-Allow-Headers",

+4

cors cross-domain preflight

user3277841 Sep 7 '17 at 2:36

source share

1 answer

sideshowbarker · Accepted Answer · 2017-09-07T03:12:23+0000

, OPTIONS, Access-Control-Allow-Origin, ?

, , , "*", - , OPTIONS. , , , OPTIONS, ( ).

, "ORIGIN"?

, , JavaScript-, , , XHR API Fetch Ajax - JavaScript, -, Origin . Access-Control-Allow-Origin .

, Access-Control-Allow-Origin - , Origin - , , .

, - curl - , , Origin . - , , - , . .

, ORIGIN ?
Access-Control-Allow-Origin?

. Access-Control-Allow-Origin . , : Access-Control-Allow-Origin, , - , , .

, Access-Control-Allow-Origin, , : ", , , JavaScript , ."

setHeader ( "Access-Control-Allow-Origin", ""),

, . .

setHeader ( "Access-Control-Allow-Origin", "null" )?

. , Origin null Origin: null , .

. . , null Firefox Origin null POST?

Should I send an Access-Control-Allow-Origin header for invalid sources in the actual request after an OPTIONS request?

More articles: