Pieter Goddijn created CXF-5017:
-----------------------------------
Summary: CrossOriginResourceSharingFilter FIELD_COMMA_PATTERN
mangles firefox headers
Key: CXF-5017
URL: https://issues.apache.org/jira/browse/CXF-5017
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 2.6
Environment: firefox
Reporter: Pieter Goddijn
Priority: Minor
When a CORS request header send with a comma delimited list of values without
whitespace, the regexp:
private static final Pattern FIELD_COMMA_PATTERN = Pattern.compile(",\\w*");
consumes (part of) the next item in the list.
The offending header in my case is (on a HTTP OPTIONS pre-flight check)
Access-Control-Request-Headers: authorization,content-type
which is eventually returned to the browser as:
Access-Control-Allow-Headers: authorization, -type
The result of which is Firefox refusing the cross-domain POST request following
this OPTIONS check
i couldn't find a reason why the \\w* part should be part of a comma splitting
regexp, changing the regexp to
"," , ",\\b*" or ",\\s" fixed the problem for me and would seem more logical to
me (but i'm not too familiar with the ins and out of CXF)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
