Skip to content

Refine CORS documentation for wildcard processing #31143

Closed
@lowcasz

Description

@lowcasz

In CORS configuration we don't have access for request and response, e.g. by servlet filter
We have allowedOriginsPattern to override * wildcard when we are using allowCredentials=true
In this situation we overwrite allowed-origin header by request origin, but heders and methods are still not overwrite wildcard which is not allowed by documentation when we allow credentials.

When some configuration for requestHeaders, exposedHeaders, allowedMethods is null then all is clear,
but when we have allowed credentials and some list is defined with one value with asterisk then it should be overwritten according to CORS documentation.

It is problematically for preflighted requests when we don't know all request headers or exposed headers,
but in single request it should be overwritten according to headers from request and response when we allow credentials,
or we should have possibility to calculate cors headers dynamically based on request and response to fix it manually.

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: documentationA documentation task

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions