Today S5122 raises on any HTTP CORS headers with any values.
But the only critical header is Access-Control-Allow-Origin when setted to *
The code examples in other recent tickets follow this behaviour:
but not the current implementation (see picture in attachment)
This implies the following changes:
- HttpServletResponse: raise only when "Access-Control-Allow-Origin" header is set to "*"
- CorsConfiguration: raises only when addAllowedOrigin("*")
- @CrossOrigin annotation: raises when origins (and value, since it's an alias) is not set or set to "*". (By default all origins are allowed, see documentation).