From e3915655c026a7075ba34b07f980d7a7c96ab873 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Tue, 8 May 2018 15:15:05 +0200
Subject: [PATCH] Only enable full CORS config if a domain is specified

The public CORS config was always overriden by the more generic config.
Credentials are no longer allowed to be sent with default CORS config.
---
 .../java/de/thm/arsnova/web/CorsFilter.java   | 49 ++++++++++---------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/web/CorsFilter.java b/src/main/java/de/thm/arsnova/web/CorsFilter.java
index c660011d6..e77520080 100644
--- a/src/main/java/de/thm/arsnova/web/CorsFilter.java
+++ b/src/main/java/de/thm/arsnova/web/CorsFilter.java
@@ -36,30 +36,31 @@ public class CorsFilter extends org.springframework.web.filter.CorsFilter {
 		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 		CorsConfiguration config;
 
-		/* Grant full access from specified origins */
-		config = new CorsConfiguration();
-		config.setAllowedOrigins(origins);
-		config.addAllowedHeader("Accept");
-		config.addAllowedHeader("Content-Type");
-		config.addAllowedHeader("X-Requested-With");
-		config.addAllowedMethod("GET");
-		config.addAllowedMethod("POST");
-		config.addAllowedMethod("PUT");
-		config.addAllowedMethod("DELETE");
-		config.setAllowCredentials(true);
-		source.registerCorsConfiguration("/**", config);
-
-		/* Grant limited access from all origins */
-		config = new CorsConfiguration();
-		config.addAllowedOrigin("*");
-		config.addAllowedHeader("Accept");
-		config.addAllowedHeader("X-Requested-With");
-		config.addAllowedMethod("GET");
-		config.setAllowCredentials(true);
-		source.registerCorsConfiguration("/", config);
-		source.registerCorsConfiguration("/arsnova-config", config);
-		source.registerCorsConfiguration("/configuration/", config);
-		source.registerCorsConfiguration("/statistics", config);
+		if (!origins.isEmpty()) {
+			/* Grant full access from specified origins */
+			config = new CorsConfiguration();
+			config.setAllowedOrigins(origins);
+			config.addAllowedHeader("Accept");
+			config.addAllowedHeader("Content-Type");
+			config.addAllowedHeader("X-Requested-With");
+			config.addAllowedMethod("GET");
+			config.addAllowedMethod("POST");
+			config.addAllowedMethod("PUT");
+			config.addAllowedMethod("DELETE");
+			config.setAllowCredentials(true);
+			source.registerCorsConfiguration("/**", config);
+		} else {
+			/* Grant limited access from all origins */
+			config = new CorsConfiguration();
+			config.addAllowedOrigin("*");
+			config.addAllowedHeader("Accept");
+			config.addAllowedHeader("X-Requested-With");
+			config.addAllowedMethod("GET");
+			source.registerCorsConfiguration("/", config);
+			source.registerCorsConfiguration("/arsnova-config", config);
+			source.registerCorsConfiguration("/configuration/", config);
+			source.registerCorsConfiguration("/statistics", config);
+		}
 
 		return source;
 	}
-- 
GitLab