Access-Control-Allow-Origin header returns wrong value using SockJS [SPR-16304]

[spring-projects-issues]

Richard Janík opened SPR-16304 and commented

Example of websocket configuration using SockJS

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketAppConfig extends AbstractWebSocketMessageBrokerConfigurer {
	
	
	@Override
	public void registerStompEndpoints(StompEndpointRegistry registry) {
		registry.addEndpoint("/ws").setAllowedOrigins("https://example.com").withSockJS();
	}

	@Override
	public void configureMessageBroker(MessageBrokerRegistry config) {
		config.enableSimpleBroker("/topic").setHeartbeatValue(new long[] {10000,10000}).setTaskScheduler(new DefaultManagedTaskScheduler());
		config.setApplicationDestinationPrefixes("/app");
	}
	
}

When we set allowed origin to https://example.com and we make call to server let's say /ws/info/ with header (I will exclude others just to show example)

Origin: https://another.example.com

the server returns correctly Http status response 403 - forbidden.
But it returns also

Access-Control-Allow-Origin: https://another.example.com
access-control-allow-credentials: true

The issue is that incorrect origin was sent and it returns as allowed.

I've found that

AbstractSockJsService.getCorsConfiguration

returns wildcard every time.
The check is done in OriginHandshakeInterceptor.java but the headers are created in
DefaultCorsProcessor.java - at line 121 -

String allowOrigin = checkOrigin(config, requestOrigin);

• which accepts configuration from AbstractSockJsService.getCorsConfiguration.

(I assume this is occurring also on newer versions because I didn't find any problems regarding this topic)

---

Affects: 4.3.9

Backported to: 4.3.14