|
| 1 | +/* |
| 2 | + * The OWASP CSRFGuard Project, BSD License |
| 3 | + * Eric Sheridan ([email protected]), Copyright (c) 2011 |
| 4 | + * All rights reserved. |
| 5 | + * |
| 6 | + * Redistribution and use in source and binary forms, with or without |
| 7 | + * modification, are permitted provided that the following conditions are met: |
| 8 | + * |
| 9 | + * 1. Redistributions of source code must retain the above copyright notice, |
| 10 | + * this list of conditions and the following disclaimer. |
| 11 | + * 2. Redistributions in binary form must reproduce the above copyright |
| 12 | + * notice, this list of conditions and the following disclaimer in the |
| 13 | + * documentation and/or other materials provided with the distribution. |
| 14 | + * 3. Neither the name of OWASP nor the names of its contributors may be used |
| 15 | + * to endorse or promote products derived from this software without specific |
| 16 | + * prior written permission. |
| 17 | + * |
| 18 | + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| 19 | + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 20 | + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 21 | + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE |
| 22 | + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| 23 | + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 24 | + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON |
| 25 | + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 26 | + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
| 27 | + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 28 | + */ |
| 29 | +package org.owasp.csrfguard.test; |
| 30 | + |
| 31 | +import org.owasp.csrfguard.CsrfGuard; |
| 32 | + |
| 33 | +import javax.servlet.*; |
| 34 | +import javax.servlet.http.HttpServletResponse; |
| 35 | +import java.io.IOException; |
| 36 | + |
| 37 | +/** |
| 38 | + * Enables Cross-Origin Resource Sharing |
| 39 | + * Only for testing purposes. |
| 40 | + * Disabled by default through the web.xml |
| 41 | + */ |
| 42 | +public class CORSFilter implements Filter { |
| 43 | + |
| 44 | + @Override |
| 45 | + public void init(FilterConfig filterConfig) {} |
| 46 | + |
| 47 | + @Override |
| 48 | + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { |
| 49 | + HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; |
| 50 | + httpResponse.addHeader("Access-Control-Allow-Origin", "*"); |
| 51 | +// httpResponse.addHeader("Access-Control-Allow-Headers", "*"); |
| 52 | + httpResponse.addHeader("Access-Control-Allow-Headers", String.join(",", CsrfGuard.getInstance().getTokenName(), |
| 53 | + "X-Requested-With")); |
| 54 | + filterChain.doFilter(servletRequest, servletResponse); |
| 55 | + } |
| 56 | + |
| 57 | + @Override |
| 58 | + public void destroy() {} |
| 59 | +} |
0 commit comments