Symptoms
On older versions of VMware Horizon, you see this symptom:Cross-Origin Resource Sharing (CORS) is enabled by default.
Purpose
Currently, there is no way to enable CORS with effective security controls in place; CORS should be disabled. If CORS must be enabled for a particular environment, ensure that checkOrigin is not disabled. This is a critical safeguard when using CORS.
Cause
This issue occurs because CORS is enabled by default on older versions of VMware Horizon - specifically 7.2 (all versions), 7.3.0 7.3.1, 7.3.2, 7.4 (all versions). CORS should be disabled on all versions and installations.
Resolution
The CORS feature was released with an insecure default setting. The default setting has been changed. If you are running a version with the default setting set to "on", the resolution is to disable CORS using these steps.To disable CORS:
Open a text editor and enter information: enableCORS = false Save the file by naming it as locked.properties to install_path\VMware\VMware View\Server\sslgateway\conf.
For more information on disabling CORS, see the Cross-Origin Resource Sharing section of the VMware Horizon Security Guide.VMware would like to thank Suhail Alaskar of Saudi Information Technology Company (SITE) for bringing this issue to our attention.
Workaround
Legacy Details:
Persistent Disks & Linked Clones have been deprecated on the latest editions of Horizon since 2020.
A move to a new profile technology is not contingent on a move to Horizon 8 and can be initiated in advance of upgrade to Horizon 8 as a separate task.Please see Ensuring a successful migration from Horizon 7 to Horizon 8 (89840) for additional advice.
We recommend you migrate from Horizon 7 to Horizon 8 as soon as possible. Horizon 8 offers numerous improvements in performance, scale, and experience for both Administrators and end users.
