[tomcat] branch 8.5.x updated: Send fewer CORS-related headers when CORS is not actually being engaged.

Fri, 22 Sep 2023 09:49:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new af4ee91831 Send fewer CORS-related headers when CORS is not actually 
being engaged.
af4ee91831 is described below

commit af4ee918319c566c43eb8c4e48cdef198ecefc60
Author: Christopher Schultz <[email protected]>
AuthorDate: Fri Sep 22 12:23:00 2023 -0400

    Send fewer CORS-related headers when CORS is not actually being engaged.
    
    This fixes https://bz.apache.org/bugzilla/show_bug.cgi?id=67472
---
 java/org/apache/catalina/filters/CorsFilter.java | 6 +++++-
 webapps/docs/changelog.xml                       | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/filters/CorsFilter.java 
b/java/org/apache/catalina/filters/CorsFilter.java
index 6c96555e01..5e2414b446 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -323,7 +323,11 @@ public class CorsFilter implements Filter {
     private void handleNonCORS(final HttpServletRequest request, final 
HttpServletResponse response,
             final FilterChain filterChain) throws IOException, 
ServletException {
 
-        addStandardHeaders(request, response);
+        if (!isAnyOriginAllowed()) {
+            // If only specific origins are allowed, the response will vary by
+            // origin
+            ResponseUtil.addVaryFieldName(response, 
CorsFilter.REQUEST_HEADER_ORIGIN);
+        }
 
         // Let request pass.
         filterChain.doFilter(request, response);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5f7e8b2784..836c2f5760 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -165,6 +165,10 @@
         branch requiring additional Commons IO dependencies, Tomcat has 
switched
         to tracking the 1.x branch. (markt)
       </update>
+      <fix>
+        <bug>67472</bug>: Send fewer CORS-related headers when CORS is not
+        actually being engaged. (schultz)
+      </fix>
     </changelog>
   </subsection>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to