Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30606

CORS domain filtering is not globally checking all cors settings



    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: HOTFIX_10.10, 2021.x
    • Component/s: Security


      As we have prepared to roll out the use of the new cors urls configuration to cloud customers, we have found that it conflicts with xml contributions that customers have already made.

      cors setting introduced
      Our understanding was that a cross origin domain acceptance would filter across those set here AND in customer package contributions so that existing cors config would not have to be changed to being managed by the cloud team in the nuxeo.conf.

      This was found with NOS who has cors settings already.  In our testing with the NOS uat env, we found that we suddenly blocked the saml SSO with Okta because we did not add it to nuxeo.cors.urls setting.

      It is our understanding that these cross origin domains allowed should be additive across the `nuxeo.cors.urls` setting and the xml contributions made in packages or studio.

      Please refer to Arnaud Kervern for deeper explanation of the current behavior compared to expected behavior.


          Issue Links



              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: