assembly-wsmaster-war uses an insecure cross-origin resource sharing (CORS) policy. The CORS configuration is enabled by default, which would allow a malicious web site to start an arbitrary Che workspace on behalf of the authenticated user in a manner of a CSRF attack.