=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 23:07:59 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 23:28:50 +0000
@@ -28,6 +28,8 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.RequestMethod;
 
@@ -46,6 +48,8 @@
  */
 public class CorsFilter implements Filter
 {
+    private static final Log LOG = LogFactory.getLog( CorsFilter.class );
+
     public static final String CORS_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
 
     public static final String CORS_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
@@ -78,14 +82,24 @@
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
 
+        String origin = request.getHeader( CORS_ORIGIN );
+
         // Origin header is required for CORS requests
-        if ( StringUtils.isEmpty( request.getHeader( CORS_ORIGIN ) ) )
-        {
-            filterChain.doFilter( request, response );
+        if ( StringUtils.isEmpty( origin ) )
+        {
+            filterChain.doFilter( request, response );
+            return;
+        }
+
+        if ( !isOriginWhitelisted( origin ) )
+        {
+            LOG.warn( "CORS request with origin " + origin + " is not whitelisted." );
+            filterChain.doFilter( request, response );
+            return;
         }
 
         response.addHeader( CORS_ALLOW_CREDENTIALS, "true" );
-        response.addHeader( CORS_ALLOW_ORIGIN, request.getHeader( CORS_ORIGIN ) );
+        response.addHeader( CORS_ALLOW_ORIGIN, origin );
 
         if ( isPreflight( request ) )
         {
@@ -111,6 +125,12 @@
             && !StringUtils.isEmpty( request.getHeader( CORS_REQUEST_METHOD ) );
     }
 
+    private boolean isOriginWhitelisted( String origin )
+    {
+        // TODO add proper list of whitelisted origins
+        return !StringUtils.isEmpty( origin ) && (origin.startsWith( "http://" ) || origin.startsWith( "https://" ));
+    }
+
     @Override
     public void init( FilterConfig filterConfig ) throws ServletException
     {