Disable CORS credentials by default [SPR-16130]

[spring-projects-issues]

Nanne Baars opened SPR-16130 and commented

Using a simple Spring Boot application and defining a REST endpoint with the following annotation:

@GetMapping
@CrossOrigin(value = "*")
fun allBlogs(): Iterable<BlogEntry> = blogRepository.findAll()

Using the following curl request: (for testing purposes only, to easily show the response, you can do this with a XHR script running on foo.com as well)

curl -i -XGET -H "Origin: http://foo.com" http://localhost:8083/blogs/

which replies with:

HTTP/1.1 200 
Access-Control-Allow-Origin: http://foo.com
Access-Control-Allow-Credentials: true
Content-Type: application/json;charset=UTF-8

The origin is reflected and here is the strange part the "Access-Control-Allow-Credentials" header is set to true. Meaning any site can make a XHR request with credentials, see attached link to see why this can be an issue.

This probably is not the best default setting (using '*' with Access-Control-Allow-Credentials: true would have been better because the browser simply does not send credentials along in this case). In my opinion the default settings with * should set the Access-Control-Allow-Origin response header to "*" and leave out the Access-Control-Allow-Credentials header.

For more information, see: http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

---

Issue Links:

• DATAREST-1160 Adapt test cases to new CORS defaults in Spring 5.0.2
• CORS support broken when updating to Spring 5.0.2 [SPR-16346] #20893 CORS support broken when updating to Spring 5.0.2

Referenced from: commits 652e5c5

[spring-projects-issues]

Sébastien Deleuze commented

Indeed, requiring allowCredentials to be explicitly set to true to enable cookies in CORS requests is a more secure default configuration, it is now fixed in master and will be part of Spring Framework 5.0.2 release.

Thanks for raising this.