|
|
@ -51,10 +51,22 @@ public class CrosXssFilter implements Filter { |
|
|
HttpServletRequest httpRequest = (HttpServletRequest) request; |
|
|
HttpServletRequest httpRequest = (HttpServletRequest) request; |
|
|
|
|
|
|
|
|
String referer = httpRequest.getHeader("Referer"); |
|
|
String referer = httpRequest.getHeader("Referer"); |
|
|
if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin) |
|
|
if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) { |
|
|
&& !referer.startsWith(accessControlAllowOrigin)) { |
|
|
// 允许多个域名,逗号分隔
|
|
|
httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer"); |
|
|
String[] allowedOrigins = accessControlAllowOrigin.split(","); |
|
|
return; |
|
|
boolean matched = false; |
|
|
|
|
|
for (String origin : allowedOrigins) { |
|
|
|
|
|
origin = origin.trim(); |
|
|
|
|
|
if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) { |
|
|
|
|
|
matched = true; |
|
|
|
|
|
break; |
|
|
|
|
|
} |
|
|
|
|
|
} |
|
|
|
|
|
// 如果一个都不匹配,则返回 403
|
|
|
|
|
|
if (!matched) { |
|
|
|
|
|
httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer"); |
|
|
|
|
|
return; |
|
|
|
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -94,9 +106,6 @@ public class CrosXssFilter implements Filter { |
|
|
httpServletResponse.setHeader("Access-Control-Allow-Origin", accessControlAllowOrigin); |
|
|
httpServletResponse.setHeader("Access-Control-Allow-Origin", accessControlAllowOrigin); |
|
|
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true"); |
|
|
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true"); |
|
|
|
|
|
|
|
|
// 修复 X-XSS-Protection 问题
|
|
|
|
|
|
httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block"); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ("OPTIONS".equals(((HttpServletRequest) request).getMethod())) { |
|
|
if ("OPTIONS".equals(((HttpServletRequest) request).getMethod())) { |
|
|
|
review512jwy@163.com
1 week ago