Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-16262

spring-web CORS requires X-Forwarded-Port

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.3.12
    • Fix Version/s: 4.3.14, 5.0.3
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      I am running a spring-boot app within Google AppEngine behind an IAP proxy which terminates https connections. The proxy sets X-Forwarded-Proto=https on requests, but does not set X-Forwarded-Port. The result is that the spring-web CORS filter rejects requests with "not same origin" even though the origin actually is the same.

      This is made worse by the fact that the Chrome browser sends the "origin" header on many different request types, including all POST requests and all resources referenced from a css-file (eg fonts) - ie on requests which are NOT cross-origin.

      While it may be argued that Google should add a header, this is a problem that may hit many users. It is also really really nasty to actually figure out the real cause of the problem..

        Issue Links

          Activity

            People

            • Assignee:
              sdeleuze S├ębastien Deleuze
              Reporter:
              simon-um simon Kitching
              Last updater:
              S├ębastien Deleuze
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 week ago