You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary
I have noticed strange behavior when requesting a static resource with GET, while having the cors filter enabled by providing a CorsFilter bean.
The problem is that the Vary headers get duplicated. This only happens, when the url gets mapped by SimpleUrlHandlerMapping to a request handler that implements CorsConfigurationSource,
because then the AbstractHandlerMapping that the SimpleUrlHandlerMapping extends, injects a CorsInterceptor into the HandlerExecutionChain.
This CorsInterceptor then uses a DefaultCorsProcessor to process the requests, which in turn automatically appends the Vary headers.
The problem is that the CorsFilter also uses this DefaultCorsProcessor, so that's why the Vary headers get duplicated.
Current behavior
When enabling the cors filter, static file responses contain duplicate Vary headers.
Expected behavior
When enabling the cors filter, static file responses contain unique Vary headers.
Related
Previously i thought this was related to spring security, so i created a ticket there (already resolved).
I'm linking it here for reference: spring-projects/spring-security#8245
The text was updated successfully, but these errors were encountered:
A potential fix would be to only inject the CorsInterceptor in the AbstractHandlerMapping if the handler extends CorsConfigurationSource AND it provides a non-null CorsConfiguration too.
Right now this check is being done in AbstractHandlerMapping#hasCorsConfigurationSource
Or another way would be to add the Vary headers in the DefaultCorsProcessor#processRequest only if they aren't already present.
Affects: 2.2.6 and up, from what i tested.
Summary
I have noticed strange behavior when requesting a static resource with GET, while having the cors filter enabled by providing a CorsFilter bean.
The problem is that the Vary headers get duplicated. This only happens, when the url gets mapped by SimpleUrlHandlerMapping to a request handler that implements CorsConfigurationSource,
because then the AbstractHandlerMapping that the SimpleUrlHandlerMapping extends, injects a CorsInterceptor into the HandlerExecutionChain.
This CorsInterceptor then uses a DefaultCorsProcessor to process the requests, which in turn automatically appends the Vary headers.
The problem is that the CorsFilter also uses this DefaultCorsProcessor, so that's why the Vary headers get duplicated.
Current behavior
When enabling the cors filter, static file responses contain duplicate Vary headers.
Expected behavior
When enabling the cors filter, static file responses contain unique Vary headers.
Configuration
Sample
https://github.com/rwinch/spring-boot-double-vary-headers/tree/no-security
Related
Previously i thought this was related to spring security, so i created a ticket there (already resolved).
I'm linking it here for reference:
spring-projects/spring-security#8245
The text was updated successfully, but these errors were encountered: