[
https://issues.apache.org/jira/browse/CXF-5017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-5017.
-----------------------------------
Resolution: Fixed
Fix Version/s: 3.0.0
2.7.6
2.6.9
2.5.11
Assignee: Sergey Beryozkin
> CrossOriginResourceSharingFilter FIELD_COMMA_PATTERN mangles firefox headers
> ----------------------------------------------------------------------------
>
> Key: CXF-5017
> URL: https://issues.apache.org/jira/browse/CXF-5017
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6
> Environment: firefox
> Reporter: Pieter Goddijn
> Assignee: Sergey Beryozkin
> Priority: Minor
> Fix For: 2.5.11, 2.6.9, 2.7.6, 3.0.0
>
>
> When a CORS request header send with a comma delimited list of values without
> whitespace, the regexp:
> {private static final Pattern FIELD_COMMA_PATTERN = Pattern.compile(",\\w*");}
> consumes (part of) the next item in the list.
> The offending header in my case is (on a HTTP OPTIONS pre-flight check)
> Access-Control-Request-Headers: authorization,content-type
> which is eventually returned to the browser as:
> Access-Control-Allow-Headers: authorization, -type
> The result of which is Firefox refusing the cross-domain POST request
> following this OPTIONS check
> i couldn't find a reason why the {\\w*} part should be part of a comma
> splitting regexp, changing the regexp to
> {"," , ",\\b*" or ",\\s"} fixed the problem for me and would seem more
> logical to me (but i'm not too familiar with the ins and out of CXF)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
