@@ -280,8 +280,12 @@ private static void parseCommaDelimitedOrigin(String rawValue, Consumer<String>
280
280
281
281
/**
282
282
* Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"},
283
- * {@code "PUT"}, etc.
284
- * <p>The special value {@code "*"} allows all methods.
283
+ * {@code "PUT"}, etc. The special value {@code "*"} allows all methods.
284
+ * <p>{@code Access-Control-Allow-Methods} response header is set either
285
+ * to the configured method or to {@code "*"}. Keep in mind however that the
286
+ * CORS spec does not allow {@code "*"} when {@link #setAllowCredentials
287
+ * allowCredentials} is set to {@code true}, that combination is handled
288
+ * by copying the method specified in the CORS preflight request.
285
289
* <p>If not set, only {@code "GET"} and {@code "HEAD"} are allowed.
286
290
* <p>By default this is not set.
287
291
* <p><strong>Note:</strong> CORS checks use values from "Forwarded"
@@ -312,24 +316,24 @@ public void setAllowedMethods(@Nullable List<String> allowedMethods) {
312
316
/**
313
317
* Return the allowed HTTP methods, or {@code null} in which case
314
318
* only {@code "GET"} and {@code "HEAD"} allowed.
319
+ * @see #setAllowedMethods(List)
315
320
* @see #addAllowedMethod(HttpMethod)
316
321
* @see #addAllowedMethod(String)
317
- * @see #setAllowedMethods(List)
318
322
*/
319
323
@ Nullable
320
324
public List <String > getAllowedMethods () {
321
325
return this .allowedMethods ;
322
326
}
323
327
324
328
/**
325
- * Add an HTTP method to allow .
329
+ * Variant of {@link #setAllowedMethods} for adding one allowed method at a time .
326
330
*/
327
331
public void addAllowedMethod (HttpMethod method ) {
328
332
addAllowedMethod (method .name ());
329
333
}
330
334
331
335
/**
332
- * Add an HTTP method to allow .
336
+ * Variant of {@link #setAllowedMethods} for adding one allowed method at a time .
333
337
*/
334
338
public void addAllowedMethod (String method ) {
335
339
if (StringUtils .hasText (method )) {
@@ -352,9 +356,13 @@ else if (this.resolvedMethods != null) {
352
356
353
357
/**
354
358
* Set the list of headers that a pre-flight request can list as allowed
355
- * for use during an actual request.
356
- * <p>The special value {@code "*"} allows actual requests to send any
357
- * header.
359
+ * for use during an actual request. The special value {@code "*"} allows
360
+ * actual requests to send any header.
361
+ * <p>{@code Access-Control-Allow-Headers} response header is set either
362
+ * to the configured list of headers or to {@code "*"}. Keep in mind however
363
+ * that the CORS spec does not allow {@code "*"} when {@link #setAllowCredentials
364
+ * allowCredentials} is set to {@code true}, that combination is handled by
365
+ * copying the headers specified in the CORS preflight request.
358
366
* <p>A header name is not required to be listed if it is one of:
359
367
* {@code Cache-Control}, {@code Content-Language}, {@code Expires},
360
368
* {@code Last-Modified}, or {@code Pragma}.
@@ -375,7 +383,7 @@ public List<String> getAllowedHeaders() {
375
383
}
376
384
377
385
/**
378
- * Add an actual request header to allow .
386
+ * Variant of {@link #setAllowedHeaders(List)} for adding one allowed header at a time .
379
387
*/
380
388
public void addAllowedHeader (String allowedHeader ) {
381
389
if (this .allowedHeaders == null ) {
@@ -388,12 +396,19 @@ else if (this.allowedHeaders == DEFAULT_PERMIT_ALL) {
388
396
}
389
397
390
398
/**
391
- * Set the list of response headers other than simple headers (i.e.
392
- * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
393
- * {@code Expires}, {@code Last-Modified}, or {@code Pragma}) that an
394
- * actual response might have and can be exposed.
395
- * <p>The special value {@code "*"} allows all headers to be exposed for
396
- * non-credentialed requests.
399
+ * Set the list of response headers that an actual response might have
400
+ * and can be exposed to the client. The special value {@code "*"}
401
+ * allows all headers to be exposed.
402
+ * <p>{@code Access-Control-Expose-Headers} response header is set either
403
+ * to the configured list of headers or to {@code "*"}. While the CORS
404
+ * spec does not allow {@code "*"} when {@code Access-Control-Allow-Credentials}
405
+ * is set to {@code true}, most browsers support it and
406
+ * the response headers are not all available during the CORS processing,
407
+ * so as a consequence {@code "*"} is the header value used when specified
408
+ * regardless of the value of the `allowCredentials` property.
409
+ * <p>A header name is not required to be listed if it is one of:
410
+ * {@code Cache-Control}, {@code Content-Language}, {@code Expires},
411
+ * {@code Last-Modified}, or {@code Pragma}.
397
412
* <p>By default this is not set.
398
413
*/
399
414
public void setExposedHeaders (@ Nullable List <String > exposedHeaders ) {
@@ -411,9 +426,7 @@ public List<String> getExposedHeaders() {
411
426
}
412
427
413
428
/**
414
- * Add a response header to expose.
415
- * <p>The special value {@code "*"} allows all headers to be exposed for
416
- * non-credentialed requests.
429
+ * Variant of {@link #setExposedHeaders} for adding one exposed header at a time.
417
430
*/
418
431
public void addExposedHeader (String exposedHeader ) {
419
432
if (this .exposedHeaders == null ) {
@@ -424,6 +437,15 @@ public void addExposedHeader(String exposedHeader) {
424
437
425
438
/**
426
439
* Whether user credentials are supported.
440
+ * <p>Setting this property has an impact on how {@link #setAllowedOrigins(List)
441
+ * origins}, {@link #setAllowedOriginPatterns(List) originPatterns},
442
+ * {@link #setAllowedMethods(List) allowedMethods} and
443
+ * {@link #setAllowedHeaders(List) allowedHeaders} are processed, see related
444
+ * API documentation for more details.
445
+ * <p><strong>NOTE:</strong> Be aware that this option establishes a high
446
+ * level of trust with the configured domains and also increases the surface
447
+ * attack of the web application by exposing sensitive user-specific
448
+ * information such as cookies and CSRF tokens.
427
449
* <p>By default this is not set (i.e. user credentials are not supported).
428
450
*/
429
451
public void setAllowCredentials (@ Nullable Boolean allowCredentials ) {
0 commit comments