[CMS-14291] Non-wildcarded CORS settings do not work for GET requests - Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 14.5.0
Component/s: None
Labels:
- kpi-xm-new-feature

Story Points:
0.25
Processed by team:
Quasar
Sprint:
Puma Sprint 250

Description

When configuring CORS Response Headers using hst:responseheaders or hst:allowedorigins using specific URLs, e.g. using "https://my.app.com" rather than "*", see [1], this works for OPTIONS requests but not for GET requests.

In the code in org.hippoecm.hst.core.container.CorsSupportValve#invoke, for GET, setAccessControlAllowOrigin is only called after isAllowedOriginResponseHeaderWildcard check.

Using originAllowed instead can be the fix here.

[1] https://documentation.bloomreach.com/14/library/concepts/page-model-api/configuration.html

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jeroen Hoffman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/Dec/20 2:08 PM

Updated:: 30/Dec/20 8:53 AM

Resolved:: 30/Dec/20 8:53 AM