OPTIONS preflight in RH-SSO will return any Origin Header in Access-Control-Allow-Origin on UserInfo

Solution Unverified - Updated -

Issue

  • An OPTIONS call can set any value in Origin header and received it back in Access-Control-Allow-Origin

Environment

  • Red Hat Single Sign-On (RH-SSO) 7
  • Origin Preflight HTTP
  • Security Scan
  • /auth/realm/{REALM}/protocol/openid-connect/userinfo and some other protected resources

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In