Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-16262

spring-web CORS requires X-Forwarded-Port

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.3.12
    • Fix Version/s: 4.3.14, 5.0.3
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      I am running a spring-boot app within Google AppEngine behind an IAP proxy which terminates https connections. The proxy sets X-Forwarded-Proto=https on requests, but does not set X-Forwarded-Port. The result is that the spring-web CORS filter rejects requests with "not same origin" even though the origin actually is the same.

      This is made worse by the fact that the Chrome browser sends the "origin" header on many different request types, including all POST requests and all resources referenced from a css-file (eg fonts) - ie on requests which are NOT cross-origin.

      While it may be argued that Google should add a header, this is a problem that may hit many users. It is also really really nasty to actually figure out the real cause of the problem..

        Issue Links

          Activity

          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open In Progress In Progress
          15d 22h 6m 1 Sébastien Deleuze 20/Dec/17 2:19 PM
          In Progress In Progress Resolved Resolved
          19d 23h 51m 1 Sébastien Deleuze 09/Jan/18 2:11 PM

            People

            • Assignee:
              sdeleuze Sébastien Deleuze
              Reporter:
              simon-um simon Kitching
              Last updater:
              Sébastien Deleuze
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 week ago