Re: [jetty-users] How to update a CrossOriginFilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] How to update a CrossOriginFilter

From: Simone Bordet <sbordet@xxxxxxxxxxx>
Date: Wed, 24 Feb 2021 19:29:51 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi,

On Wed, Feb 24, 2021 at 6:37 PM Bruno Konik <bruno.konik@xxxxxxxxxxx> wrote:
>
> Hello Simone,
>
> Thanks for your reply.
>
> Our application embeds a Jetty server which delivers web services that are
> provided by a javascript library. The library is embedded by websites. Those
> websites are authorized by the CORS header. While the server is running, it
> is possible to add a new website. Until now, when doing so, we were stopping
> and starting the server again. I would like a better way to do so avoiding
> this restart. That's the reason. I would have imagined that changing the
> CORS filter's list of authorized origins on the fly would not affect the
> running requests working with the "old" list of origins but only the new
> ones which would use the new list.
>
> So there is no way to properly "restart" a Filter while the server is
> running ?

I'm not sure I understand your setup.

If you "add a new website" you need to add a new ContextHandler, and
with that a different instance of the CrossOriginFilter that you
configure appropriately for the new website (and only for that one).

If, instead, you have a single CrossOriginFilter for all the websites,
there should be a place in the code where for an incoming request you
figure out what "website" it should be dispatched to.
Once that is figured out, you should be able to change the
Access-Control-Allow-Origin header accordingly (for example in a
filter _after_ the CrossOriginFilter).

If you have a single CrossOriginFilter, adding "websites" to the list
returned by the Access-Control-Allow-Origin header seems a leakage of
information.
An attacker that contacts http://foo.com gets back a response with
Access-Control-Allow-Origin: http://foo.com, http://bar.com, so that
it now knows there is another "website" at http://bar.com.

Maybe it's not an issue in your case, but if you explain better your
setup we may provide an alternative solution to your proposal (which I
am not particularly keen to implement).

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

References:
- [jetty-users] How to update a CrossOriginFilter
  - From: Bruno Konik
- Re: [jetty-users] How to update a CrossOriginFilter
  - From: Simone Bordet
- Re: [jetty-users] How to update a CrossOriginFilter
  - From: Bruno Konik

Prev by Date: Re: [jetty-users] How to update a CrossOriginFilter
Next by Date: [jetty-users] Session invalidation
Previous by thread: Re: [jetty-users] How to update a CrossOriginFilter
Next by thread: [jetty-users] Session invalidation
Index(es):
- Date
- Thread

Breadcrumbs