Description of problem: The WebDAV interface returns a: Access-Control-Allow-Origin: * header. How reproducible: always. Steps to Reproduce: 1. From a bash shell with netcat installed as nc, access the WebDAV interface with the following one-liner: echo -e "PROPFIND /pressgang-ccms/webdav/ HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nDepth: 1\r\nContent-Type: application/xml\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\n<propfind xmlns="DAV:"><prop>\n<getcontentlength xmlns="DAV:"/>\n<getlastmodified xmlns="DAV:"/>\n<executable xmlns="http://apache.org/dav/props/"/>\n<resourcetype xmlns="DAV:"/>\n<checked-in xmlns="DAV:"/>\n<checked-out xmlns="DAV:"/>\n</prop></propfind>\r\n\r\n" | nc skynet.usersys.redhat.com 8080 Actual results: Receive the "directory" listing (as expected) with a: Access-Control-Allow-Origin: * header. Expected results: Receive the "directory" listing with headers that would appropriately block cross-site access. Additional info: Some browsers allow calls to methods such as PROPFIND. Combined with this header behavior there is the potential for JavaScript access to the WebDAV interface from arbitrary websites. Drive by attacks similar to the one detailed in the bugs relating to: https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=poc-fc5fd70a912b seem quite likely. As with that POC, an attacker need not have VPN access, only the ability to have victims within the VPN browse content.
Fixed in 1.0-SNAPSHOT build 20130529-1332. I've fixed the MessageBodyWriterInterceptor to only work on normal REST endpoints. That way the Access-Control-Allow-Origin header will not be present anymore for all webdav requests, as it shouldn't have ever been there anyways. Example output (from skynet-dev): HTTP/1.1 207 Multi-Status Date: Wed, 29 May 2013 07:23:32 GMT Server: Apache-Coyote/1.1 Content-Type: text/xml Connection: close Transfer-Encoding: chunked 23b <?xml version="1.0" encoding="UTF-8" standalone="yes"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/TOPICS</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> 0
Looks good on my end when hitting skynet-dev. I would have verified sooner, but didn't expect you to take care of it this fast! Thanks for the speedy work.