-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: HOTFIX_10.10, 2021.x
-
Component/s: Security
-
Tags:
-
Story Points:5
As we have prepared to roll out the use of the new cors urls configuration to cloud customers, we have found that it conflicts with xml contributions that customers have already made.
cors setting introduced
nuxeo.cors.urls=
Our understanding was that a cross origin domain acceptance would filter across those set here AND in customer package contributions so that existing cors config would not have to be changed to being managed by the cloud team in the nuxeo.conf.
—
This was found with NOS who has cors settings already. In our testing with the NOS uat env, we found that we suddenly blocked the saml SSO with Okta because we did not add it to nuxeo.cors.urls setting.
It is our understanding that these cross origin domains allowed should be additive across the `nuxeo.cors.urls` setting and the xml contributions made in packages or studio.
Please refer to Arnaud Kervern for deeper explanation of the current behavior compared to expected behavior.
- mentioned in
-
Page Loading...