|
|
|
@ -50,21 +50,31 @@ public class CrosXssFilter implements Filter { |
|
|
|
HttpServletResponse httpServletResponse = (HttpServletResponse) response; |
|
|
|
HttpServletRequest httpRequest = (HttpServletRequest) request; |
|
|
|
|
|
|
|
String referer = httpRequest.getHeader("Referer"); |
|
|
|
if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) { |
|
|
|
// 允许多个域名,逗号分隔
|
|
|
|
String[] allowedOrigins = accessControlAllowOrigin.split(","); |
|
|
|
boolean matched = false; |
|
|
|
for (String origin : allowedOrigins) { |
|
|
|
origin = origin.trim(); |
|
|
|
if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) { |
|
|
|
matched = true; |
|
|
|
break; |
|
|
|
String requestUri = httpRequest.getRequestURI(); |
|
|
|
// 当 URL 不包含 /common/ 时,校验 Referer
|
|
|
|
if (!requestUri.contains("/common/")) { |
|
|
|
String referer = httpRequest.getHeader("Referer"); |
|
|
|
if (StringUtils.isNotBlank(referer)){ |
|
|
|
if(!"*".equals(accessControlAllowOrigin)){ |
|
|
|
// 允许多个域名,逗号分隔
|
|
|
|
String[] allowedOrigins = accessControlAllowOrigin.split(","); |
|
|
|
boolean matched = false; |
|
|
|
for (String origin : allowedOrigins) { |
|
|
|
origin = origin.trim(); |
|
|
|
if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) { |
|
|
|
matched = true; |
|
|
|
break; |
|
|
|
} |
|
|
|
} |
|
|
|
// 如果一个都不匹配,则返回 403
|
|
|
|
if (!matched) { |
|
|
|
logger.error("Invalid Referer: {}", referer); |
|
|
|
httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer"); |
|
|
|
return; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
// 如果一个都不匹配,则返回 403
|
|
|
|
if (!matched) { |
|
|
|
logger.error("Invalid Referer: {}", referer); |
|
|
|
} else { |
|
|
|
logger.error("Referer required...."); |
|
|
|
httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer"); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
