Update docs after changes for CVE-2018-8014
git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1832594 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/java/org/apache/catalina/filters/CorsFilter.java b/java/org/apache/catalina/filters/CorsFilter.java
index 514f648..0ccee7e 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -1162,7 +1162,7 @@
// ------------------------------------------------ Configuration Defaults
/**
- * By default, all origins are allowed to make requests.
+ * By default, no origins are allowed to make requests.
*/
public static final String DEFAULT_ALLOWED_ORIGINS = "";
@@ -1178,7 +1178,7 @@
public static final String DEFAULT_PREFLIGHT_MAXAGE = "1800";
/**
- * By default, support credentials is turned on.
+ * By default, support credentials is disabled.
*/
public static final String DEFAULT_SUPPORTS_CREDENTIALS = "false";
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 20c0830..49001fb 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -130,7 +130,7 @@
specified to enable access to resource from any origin. Otherwise, a
whitelist of comma separated origins can be provided. Eg: <code>
http://www.w3.org, https://www.apache.org</code>.
- <strong>Defaults:</strong> <code>*</code> (Any origin is allowed to
+ <strong>Defaults:</strong> The empty String. (No origin is allowed to
access the resource).</p>
</attribute>
<attribute name="cors.allowed.methods" required="false">
@@ -171,7 +171,7 @@
<code>Access-Control-Allow-Credentials</code> header in a pre-flight
response. It helps browser determine whether or not an actual request
can be made using credentials. <strong>Defaults:</strong>
- <code>true</code></p>
+ <code>false</code></p>
</attribute>
<attribute name="cors.request.decorate" required="false">
<p>A flag to control if CORS specific attributes should be added to
