udpate cors

JoyChou93 · JoyChou93 · commit ea9ad0e536a4 · 2018-11-22T23:33:47.000+08:00
diff --git a/java-sec-code.iml b/java-sec-code.iml
@@ -59,7 +59,7 @@
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
     <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
     <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
+    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.48" level="project" />
     <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
     <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.1" level="project" />
     <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
@@ -30,7 +30,7 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp
 
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
         // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
-        // response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
         return info;
     }
 
@@ -55,16 +55,10 @@ private static String vuls3(HttpServletResponse response) {
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
         Security sec = new Security();
-        Boolean origin_safe = false;
 
-        // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求，这种直接放过，没有安全问题。
-        if (origin == null) {
-            origin_safe = true;
-        }else if (sec.checkSafeUrl(origin, urlwhitelist)) {
-            origin_safe = true;
-        }
-
-        if (!origin_safe) {
+        // 如果origin不为空并且origin不在白名单内，认定为不安全。
+        // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
+        if ( origin != null && !sec.checkSafeUrl(origin, urlwhitelist) ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", "*");
