Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0035548
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorhave not tried2017-03-17 08:362017-03-20 23:12
ReportermtaalView Statuspublic 
Assigned Tomtaal 
PrioritynormalResolutionfixedFixed in Version
StatusclosedFix in branchFixed in SCM revisionfa58c10eca84
ProjectionnoneETAnoneTarget Version3.0PR17Q2
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0035548: Cross domain checks is also executed/logged when the origin of the webpos main page and the separate xhr request are the same

DescriptionThe assumption when creating the cross domain logic was that the origin was only set by the browser when the original page and the xhr have different origins. This showed to be false the origin header is always included.

This results in cross domain errors in the log if there are mobile server definitions and the multi-server preference is set to N. This results in that the browser/webpos does not have a list of servers and requests all the data from the server it was loaded from. Still the cross domain check on the server uses the mobile server definitions to check the cross domain request.

This issue only occurs when:
- mobile core is included, and
- one or more mobile server definitions are created.

It shows by messages in the log [2].

WebPOS functions properly, still there are messages in the log.

[1]
http://wiki.openbravo.com/wiki/How_to_Setup_MultiServer_Dev_Environment#Understanding_CORS [^]

[2]
223347 [http-bio-9080-exec-7] ERROR org.openbravo.mobile.core.authenticate.MobileAllowedCrossDomainsChecker - Origin http://localhost:9080 [^] is not allowed, request information: http://localhost:9080/openbravo/org.openbravo.retail.posterminal/POSLoginHandler-null [^]
231650 [http-bio-9080-exec-7] ERROR org.openbravo.mobile.core.authenticate.MobileAllowedCrossDomainsChecker - Origin http://localhost:9080 [^] is not allowed, request information: http://localhost:9080/openbravo/org.openbravo.retail.posterminal/POSLoginHandler-null [^]
Steps To Reproduce- Create mobile server definitions
- Set the urls of the mobile server to something non-existing
- Set multi-server pref to N (not needed but is from the customer case)
- Access webpos using localhost
- See messages in the log
Proposed SolutionCheck if the origin of the request is present in the request url. If so then the request is allowed and cross domain headers do not need to be set either.

Code changes can be done in the AllowedCrossDomainsHandler.

[1]
https://code.openbravo.com/erp/devel/pi/file/05c62ceaa5a6/src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java#l63 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0035549RR17Q2 closedmtaal Retail Modules Cross domain checking should not use mobile servers if the multi-server preference is of 

-  Notes
(0095389)
hgbot (developer)
2017-03-19 10:18

Repository: erp/devel/pi
Changeset: fa58c10eca84fdfb956ab161e64a9fbc21d93239
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Sun Mar 19 10:18:20 2017 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/fa58c10eca84fdfb956ab161e64a9fbc21d93239 [^]

Fixes issue 35548: Cross domain checks is also executed/logged when the origin
Do not check cross domain or add cors headers if the request url and origin share the same host/port.

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0095414)
AugustoMauch (manager)
2017-03-20 10:08

Code reviewed and verified
(0095449)
hudsonbot (developer)
2017-03-20 23:12

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ba27e12a1e16 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2017-03-17 08:36 mtaal New Issue
2017-03-17 08:36 mtaal Assigned To => mtaal
2017-03-17 08:36 mtaal Modules => Core
2017-03-17 08:36 mtaal Triggers an Emergency Pack => No
2017-03-17 08:46 mtaal Relationship added related to 0035549
2017-03-17 10:10 shuehner Resolution time => 1491516000
2017-03-17 10:14 shuehner Issue Monitored: shuehner
2017-03-19 10:17 mtaal Review Assigned To => AugustoMauch
2017-03-19 10:18 hgbot Checkin
2017-03-19 10:18 hgbot Note Added: 0095389
2017-03-19 10:18 hgbot Status new => resolved
2017-03-19 10:18 hgbot Resolution open => fixed
2017-03-19 10:18 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/fa58c10eca84fdfb956ab161e64a9fbc21d93239 [^]
2017-03-20 10:08 AugustoMauch Note Added: 0095414
2017-03-20 10:08 AugustoMauch Status resolved => closed
2017-03-20 23:12 hudsonbot Checkin
2017-03-20 23:12 hudsonbot Note Added: 0095449


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker