Merge branch 'fix-public-cors' into '2.x'

Only enable full CORS config if a domain is specified See merge request !85

Merge branch 'fix-public-cors' into '2.x'
Only enable full CORS config if a domain is specified See merge request !85
7b54c81e · Daniel Gerhardt · c58cd000 · e3915655 · 7b54c81e
Commit 7b54c81e authored 6 years ago by Daniel Gerhardt
--- a/src/main/java/de/thm/arsnova/web/CorsFilter.java
+++ b/src/main/java/de/thm/arsnova/web/CorsFilter.java
@@ -36,30 +36,31 @@ public class CorsFilter extends org.springframework.web.filter.CorsFilter {
 		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 		CorsConfiguration config;

-		/* Grant full access from specified origins */
-		config = new CorsConfiguration();
-		config.setAllowedOrigins(origins);
-		config.addAllowedHeader("Accept");
-		config.addAllowedHeader("Content-Type");
-		config.addAllowedHeader("X-Requested-With");
-		config.addAllowedMethod("GET");
-		config.addAllowedMethod("POST");
-		config.addAllowedMethod("PUT");
-		config.addAllowedMethod("DELETE");
-		config.setAllowCredentials(true);
-		source.registerCorsConfiguration("/**", config);
-
-		/* Grant limited access from all origins */
-		config = new CorsConfiguration();
-		config.addAllowedOrigin("*");
-		config.addAllowedHeader("Accept");
-		config.addAllowedHeader("X-Requested-With");
-		config.addAllowedMethod("GET");
-		config.setAllowCredentials(true);
-		source.registerCorsConfiguration("/", config);
-		source.registerCorsConfiguration("/arsnova-config", config);
-		source.registerCorsConfiguration("/configuration/", config);
-		source.registerCorsConfiguration("/statistics", config);
+		if (!origins.isEmpty()) {
+			/* Grant full access from specified origins */
+			config = new CorsConfiguration();
+			config.setAllowedOrigins(origins);
+			config.addAllowedHeader("Accept");
+			config.addAllowedHeader("Content-Type");
+			config.addAllowedHeader("X-Requested-With");
+			config.addAllowedMethod("GET");
+			config.addAllowedMethod("POST");
+			config.addAllowedMethod("PUT");
+			config.addAllowedMethod("DELETE");
+			config.setAllowCredentials(true);
+			source.registerCorsConfiguration("/**", config);
+		} else {
+			/* Grant limited access from all origins */
+			config = new CorsConfiguration();
+			config.addAllowedOrigin("*");
+			config.addAllowedHeader("Accept");
+			config.addAllowedHeader("X-Requested-With");
+			config.addAllowedMethod("GET");
+			source.registerCorsConfiguration("/", config);
+			source.registerCorsConfiguration("/arsnova-config", config);
+			source.registerCorsConfiguration("/configuration/", config);
+			source.registerCorsConfiguration("/statistics", config);
+		}

 		return source;
 	}