Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2
Opened: Oct 09, 2015
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure. If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.
Web application may work incorrectly; some data access restrictions may not work.
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header. XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest. CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.