Updates after review.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>

documentation/jetty-documentation/src/main/asciidoc/programming-guide/server/http/server-http-handler-use.adoc

@@ -415,7 +415,7 @@ This is common, for example, when you embed reusable components such as a chat c
 
 This kind of setup exposes to link:https://owasp.org/www-community/attacks/csrf[cross-site request forgery attacks], and the CORS protocol has been established to protect against this kind of attacks.
 
-For security reasons, browser by default do not allow cross-origin requests, unless the response from the cross domain contains the right CORS headers.
+For security reasons, browsers by default do not allow cross-origin requests, unless the response from the cross domain contains the right CORS headers.
 
 `CrossOriginHandler` relieves server-side web applications from handling CORS headers explicitly.
 You can set up your `Handler` tree with the `CrossOriginHandler`, configure it, and it will take care of the CORS headers separately from your application, where you can concentrate on the business logic.
@@ -433,7 +433,7 @@ Server
 The most important `CrossOriginHandler` configuration parameter is `allowedOrigins`, which by default is `*`, allowing any origin.
 
 You may want to restrict your server to only origins you trust.
-From the chat example above, the chat server at `+http://chat.domain.com+` knows that the chat component is downloaded from the origin server at `+http://domain.com+`, so it configures the `CrossOriginHandler` in this way:
+From the chat example above, the chat server at `+http://chat.domain.com+` knows that the chat component is downloaded from the origin server at `+http://domain.com+`, so the `CrossOriginHandler` is configured in this way:
 
 [source,java,indent=0]
 ----

jetty-core/jetty-server/src/main/config/etc/jetty-cross-origin.xml

@@ -44,9 +44,9 @@
             </Call>
           </Arg>
         </Call>
-        <Set name="deliverPreflightRequest">
-          <Property name="jetty.crossorigin.deliverPreflightRequest" default="false" />
-        </Set>
+        <Set name="deliverPreflightRequests" property="jetty.crossorigin.deliverPreflightRequests" />
+        <Set name="deliverNonAllowedOriginRequests" property="jetty.crossorigin.deliverNonAllowedOriginRequests" />
+        <Set name="deliverNonAllowedOriginWebSocketUpgradeRequests" property="jetty.crossorigin.deliverNonAllowedOriginWebSocketUpgradeRequests" />
         <Call name="setExposedHeaders">
           <Arg type="Set">
             <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
@@ -60,7 +60,7 @@
           <Arg>
             <Call class="java.time.Duration" name="ofSeconds">
               <Arg type="long">
-                <Property name="jetty.crossorigin.preflightMaxAge" default="5" />
+                <Property name="jetty.crossorigin.preflightMaxAge" default="60" />
               </Arg>
             </Call>
           </Arg>

jetty-core/jetty-server/src/main/config/modules/cross-origin.mod

@@ -32,7 +32,13 @@ etc/jetty-cross-origin.xml
 # jetty.crossorigin.allowedTimingOriginPatterns=
 
 ## Whether preflight requests are delivered to the child Handler of CrossOriginHandler.
-# jetty.crossorigin.deliverPreflightRequest=false
+# jetty.crossorigin.deliverPreflightRequests=false
+
+## Whether requests whose origin is not allowed are delivered to the child Handler of CrossOriginHandler.
+# jetty.crossorigin.deliverNonAllowedOriginRequests=true
+
+## Whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler of CrossOriginHandler.
+# jetty.crossorigin.deliverNonAllowedOriginWebSocketUpgradeRequests=false
 
 ## A comma-separated list of headers allowed in cross-origin responses.
 # jetty.crossorigin.exposedHeaders=