From b1a0b38d8faf661e5eb105f7ade713bab0104e3d Mon Sep 17 00:00:00 2001
From: Rossen Stoyanchev <rstoyanchev@gopivotal.com>
Date: Sun, 23 Mar 2014 21:39:27 -0400
Subject: [PATCH] Document use of CORS headers in SockJS Service

Issue: SPR-11437
---
 src/asciidoc/index.adoc | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/asciidoc/index.adoc b/src/asciidoc/index.adoc
index cacfd86538..39fef6db76 100644
--- a/src/asciidoc/index.adoc
+++ b/src/asciidoc/index.adoc
@@ -37355,6 +37355,25 @@ be cached. For details on how to enable it see the
 https://github.com/sockjs/sockjs-client[SockJS client] page.
 ====
 
+[[websocket-fallback-cors]]
+==== SockJS and CORS
+
+The SockJS protocol uses CORS for cross-domain support in the XHR streaming and
+XHR polling transports. CORS headers are automatically added to SockJS requests
+for transports that require it as well as for the initial `"/info"` request.
+
+Spring's `SockJsServce` implementation checks for the presence of the CORS
+`"Access-Control-Allow-Origin"` header in the response. If present, no new CORS
+headers are added, essentially assuming that CORS support is configured
+centrally, e.g. through a Servlet Filter. Otherwise the following are added:
+
+* `"Access-Control-Allow-Origin"` - intitialized from the value of the "origin" request header or "*".
+* `"Access-Control-Allow-Credentials"` - always set to `true`.
+* `"Access-Control-Request-Headers"` - initialized from values from the equivalent request header.
+* `"Access-Control-Allow-Methods"` - the HTTP methods a transport supports (see `TransportType` enum).
+* `"Access-Control-Max-Age"` - set to 31536000 (1 year).
+
+For the exact implementation, see `addCorsHeaders` in `AbstractSockJsService`.
 
 [[websocket-fallback-sockjs-servlet3-async]]
 ==== SockJS and Servlet 3 Async Support