Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-16262

spring-web CORS requires X-Forwarded-Port

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.3.12
    • Fix Version/s: 4.3.14, 5.0.3
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      I am running a spring-boot app within Google AppEngine behind an IAP proxy which terminates https connections. The proxy sets X-Forwarded-Proto=https on requests, but does not set X-Forwarded-Port. The result is that the spring-web CORS filter rejects requests with "not same origin" even though the origin actually is the same.

      This is made worse by the fact that the Chrome browser sends the "origin" header on many different request types, including all POST requests and all resources referenced from a css-file (eg fonts) - ie on requests which are NOT cross-origin.

      While it may be argued that Google should add a header, this is a problem that may hit many users. It is also really really nasty to actually figure out the real cause of the problem..

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sdeleuze Sébastien Deleuze
                Reporter:
                simon-um simon Kitching
                Last updater:
                Stéphane Nicoll
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  36 weeks, 3 days ago