Update Javadoc on CORS in spring-websocket #26753
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: documentation
A documentation task
Milestone
According to the documentation, the iframe fallback is useful for transports with no native cross-domain communication.
See :
spring-framework/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
Line 146 in 58e40d1
But when configuring my app for allowing a specific origin, and when my client request the Iframe, this bloc of code prevent me from getting it :
spring-framework/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
Line 407 in 58e40d1
This bloc of code seems to say I could bypass it by setting
"*"
in allowOrigins. But it then conflicts with the "Access-Control-Allow-Credentials" set to true, which is forbidden for the"*"
regex.https://docs.spring.io/spring-framework/docs/5.3.2/reference/html/web.html#websocket-fallback-sockjs-overview)
I have the feeling there is a contradiction here. For some transport, I need and iframe when I want to do cross-domain communication. But the very same process of providing an iframe is restricted if I want to access it cross-domain.
Is this code outdated and need an update? Or am I missing a point? If option one, I can work on the PR.
The text was updated successfully, but these errors were encountered: