diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfig.java b/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfig.java index 939d5540ecf..17e21ce468b 100644 --- a/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfig.java +++ b/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfig.java @@ -48,7 +48,6 @@ public final class Netty4CorsConfig { private final long maxAge; private final Set allowedRequestMethods; private final Set allowedRequestHeaders; - private final boolean allowNullOrigin; private final Map> preflightHeaders; private final boolean shortCircuit; @@ -61,7 +60,6 @@ public final class Netty4CorsConfig { maxAge = builder.maxAge; allowedRequestMethods = builder.requestMethods; allowedRequestHeaders = builder.requestHeaders; - allowNullOrigin = builder.allowNullOrigin; preflightHeaders = builder.preflightHeaders; shortCircuit = builder.shortCircuit; } @@ -108,19 +106,6 @@ public final class Netty4CorsConfig { return false; } - /** - * Web browsers may set the 'Origin' request header to 'null' if a resource is loaded - * from the local file system. - * - * If isNullOriginAllowed is true then the server will response with the wildcard for the - * the CORS response header 'Access-Control-Allow-Origin'. - * - * @return {@code true} if a 'null' origin should be supported. - */ - public boolean isNullOriginAllowed() { - return allowNullOrigin; - } - /** * Determines if credentials are supported for CORS requests. * diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfigBuilder.java b/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfigBuilder.java index 16513c57bb3..3e87d948dab 100644 --- a/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfigBuilder.java +++ b/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsConfigBuilder.java @@ -74,7 +74,6 @@ public final class Netty4CorsConfigBuilder { Optional> origins; Optional pattern; final boolean anyOrigin; - boolean allowNullOrigin; boolean enabled = true; boolean allowCredentials; long maxAge; diff --git a/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsHandler.java b/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsHandler.java index 78ea9decd1d..5f7baffc86a 100644 --- a/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsHandler.java +++ b/modules/transport-netty4/src/main/java/org/elasticsearch/http/netty4/cors/Netty4CorsHandler.java @@ -167,11 +167,6 @@ public class Netty4CorsHandler extends ChannelDuplexHandler { private boolean setOrigin(final HttpResponse response) { final String origin = request.headers().get(HttpHeaderNames.ORIGIN); if (!Strings.isNullOrEmpty(origin)) { - if ("null".equals(origin) && config.isNullOriginAllowed()) { - setAnyOrigin(response); - return true; - } - if (config.isAnyOriginSupported()) { if (config.isCredentialsAllowed()) { echoRequestOrigin(response); @@ -201,10 +196,6 @@ public class Netty4CorsHandler extends ChannelDuplexHandler { return true; } - if ("null".equals(origin) && config.isNullOriginAllowed()) { - return true; - } - // if the origin is the same as the host of the request, then allow if (isSameOrigin(origin, request.headers().get(HttpHeaderNames.HOST))) { return true;