OPTIONS preflight in RH-SSO will return any Origin Header in Access-Control-Allow-Origin on UserInfo
Issue
- An OPTIONS call can set any value in Origin header and received it back in Access-Control-Allow-Origin
Environment
- Red Hat Single Sign-On (RH-SSO)
- 7
- Origin Preflight HTTP
- Security Scan
- /auth/realm/{REALM}/protocol/openid-connect/userinfo and some other protected resources
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.