svn commit: r1832592 - in /tomcat/trunk: java/org/apache/catalina/filters/CorsFilter.java webapps/docs/config/filter.xml

Thu, 31 May 2018 02:44:38 -0700 

Author: markt
Date: Thu May 31 09:44:21 2018
New Revision: 1832592

URL: http://svn.apache.org/viewvc?rev=1832592&view=rev
Log:
Update docs after changes for CVE-2018-8014

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java
    tomcat/trunk/webapps/docs/config/filter.xml

Modified: tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1832592&r1=1832591&r2=1832592&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java Thu May 31 
09:44:21 2018
@@ -1060,7 +1060,7 @@ public class CorsFilter extends GenericF
 
     // ------------------------------------------------ Configuration Defaults
     /**
-     * By default, all origins are allowed to make requests.
+     * By default, no origins are allowed to make requests.
      */
     public static final String DEFAULT_ALLOWED_ORIGINS = "";
 
@@ -1076,7 +1076,7 @@ public class CorsFilter extends GenericF
     public static final String DEFAULT_PREFLIGHT_MAXAGE = "1800";
 
     /**
-     * By default, support credentials is turned on.
+     * By default, support credentials is disabled.
      */
     public static final String DEFAULT_SUPPORTS_CREDENTIALS = "false";
 

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1832592&r1=1832591&r2=1832592&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Thu May 31 09:44:21 2018
@@ -130,7 +130,7 @@
         specified to enable access to resource from any origin. Otherwise, a
         whitelist of comma separated origins can be provided. Eg: <code>
         http://www.w3.org, https://www.apache.org</code>.
-        <strong>Defaults:</strong> <code>*</code> (Any origin is allowed to
+        <strong>Defaults:</strong> The empty String. (No origin is allowed to
         access the resource).</p>
       </attribute>
       <attribute name="cors.allowed.methods" required="false">
@@ -171,7 +171,7 @@
         <code>Access-Control-Allow-Credentials</code> header in a pre-flight
         response. It helps browser determine whether or not an actual request
         can be made using credentials. <strong>Defaults:</strong>
-        <code>true</code></p>
+        <code>false</code></p>
       </attribute>
       <attribute name="cors.request.decorate" required="false">
         <p>A flag to control if CORS specific attributes should be added to



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to