0035548: Cross domain checks is also executed/logged when the origin of the webpos main page and the separate xhr request are the same

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0035548

Openbravo ERP

A. Platform

public

2017-03-17 08:36

2017-03-20 23:12

Reporter

mtaal

Assigned To

mtaal

Priority

normal

Severity

major

Reproducibility

have not tried

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

3.0PR17Q2

Fixed in Version

Merge Request Status

Review Assigned To

AugustoMauch

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0035548: Cross domain checks is also executed/logged when the origin of the webpos main page and the separate xhr request are the same

Description

The assumption when creating the cross domain logic was that the origin was only set by the browser when the original page and the xhr have different origins. This showed to be false the origin header is always included.

This results in cross domain errors in the log if there are mobile server definitions and the multi-server preference is set to N. This results in that the browser/webpos does not have a list of servers and requests all the data from the server it was loaded from. Still the cross domain check on the server uses the mobile server definitions to check the cross domain request.

This issue only occurs when:
- mobile core is included, and
- one or more mobile server definitions are created.

It shows by messages in the log [2].

WebPOS functions properly, still there are messages in the log.

[1]
http://wiki.openbravo.com/wiki/How_to_Setup_MultiServer_Dev_Environment#Understanding_CORS [^]

[2]
223347 [http-bio-9080-exec-7] ERROR org.openbravo.mobile.core.authenticate.MobileAllowedCrossDomainsChecker - Origin http://localhost:9080 [^] is not allowed, request information: http://localhost:9080/openbravo/org.openbravo.retail.posterminal/POSLoginHandler-null [^]
231650 [http-bio-9080-exec-7] ERROR org.openbravo.mobile.core.authenticate.MobileAllowedCrossDomainsChecker - Origin http://localhost:9080 [^] is not allowed, request information: http://localhost:9080/openbravo/org.openbravo.retail.posterminal/POSLoginHandler-null [^]

Steps To Reproduce

- Create mobile server definitions
- Set the urls of the mobile server to something non-existing
- Set multi-server pref to N (not needed but is from the customer case)
- Access webpos using localhost
- See messages in the log

Proposed Solution

Check if the origin of the request is present in the request url. If so then the request is allowed and cross domain headers do not need to be set either.

Code changes can be done in the AllowedCrossDomainsHandler.

[1]
https://code.openbravo.com/erp/devel/pi/file/05c62ceaa5a6/src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java#l63 [^]

Additional Information