quarkus: CORS Rejected Error on same-origin requests when CORS is enabled
Describe the bug
Since Quarkus 2.14.2, requests return status 403 if CORS is enabled and the origin is not in the list of allowed CORS origins, even if the request is not cross-origin at all.
Expected behavior
CORS Settings should have no impact on same-origin requests.
Actual behavior
Enabling CORS seems to prevent all requests with an Origin-header that isn’t explicitly whitelisted, even same-origin requests. GET-Requests may still work as browsers don’t add the Origin-Header to same-origin GET-requests.
How to Reproduce?
Reproducer: cors.zip
See the test or just start the project and try to use the Dev UI - anything that isn’t a plain GET request like the attempts to establish websockets for test and logstream will fail.
Output of uname -a or ver
No response
Output of java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.14.2.Final
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 24 (18 by maintainers)
I think it warrants a Migration note, that the same Origin POST requests have to be explicitly allowed now. Additionally I can have a look at fixing https://github.com/quarkusio/quarkus/issues/29462 both for DevUI and main CORS filters - but it will only be done optionally, doing it by default would be slow and the Origin header can be deliberately set to a value which can cause a long and failed resolution process. IMHO we just can’t go back now and allow same Origin POSTs through without CORS filter making it possible by configuring the Origin or in the future - allowing a reverse DNS lookup
@sberyozkin Excatly that is my problem. And browsers actually do set the
Origin-header even for same origin request. You can try the button in the second reproducer I linked here, it does a simplefetch('hello', {method: 'POST'})or look at MDN again: