quarkus: Request rejected by CORS for fonts in dev UI when `quarkus.http.cors=true` is set

Describe the bug

When quarkus.http.cors=true is set, navigating to the dev UI in http://localhost:8080/q/dev fails while fetching the WOFF fonts with Failed to load resource: the server responded with a status of 403 (CORS Rejected - Invalid origin) in the browser (Chrome) console.

image

Expected behavior

No errors and the icons are rendered properly in the Dev UI

Actual behavior

The fonts are not rendered and you can see the before mentioned error in the console logs

How to Reproduce?

  1. Create a new Quarkus application with quarkus create app
  2. Add the quarkus.http.cors=true to the application.properties
  3. Run the following cURL command. It should return 200 but returns HTTP/1.1 403 CORS Rejected - Invalid origin instead :
curl 'http://localhost:8080/q/dev/resources/fontawesome/webfonts/fa-solid-900.woff2' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9,pt-BR;q=0.8,pt;q=0.7' \
  -H 'Connection: keep-alive' \
  -H 'DNT: 1' \
  -H 'Origin: http://localhost:8080' \
  -H 'Referer: http://localhost:8080/q/dev/resources/fontawesome/css/all.min.css' \
  -H 'Sec-Fetch-Dest: font' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --compressed

Output of uname -a or ver

Darwin MacBook-Pro-de-George 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64

Output of java -version

openjdk version “17.0.6” 2023-01-17 OpenJDK Runtime Environment GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13) OpenJDK 64-Bit Server VM GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13, mixed mode, sharing)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.16.3.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/ggastald/.sdkman/candidates/maven/current Java version: 17.0.6, vendor: GraalVM Community, runtime: /Users/ggastald/.sdkman/candidates/java/22.3.1.r17-grl Default locale: en_BR, platform encoding: UTF-8 OS name: “mac os x”, version: “13.2.1”, arch: “aarch64”, family: “mac”

Additional information

No response

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 17 (17 by maintainers)

Commits related to this issue

Most upvoted comments

In both cases CORS filter makes the decision, without explicitly enabling CORS as George did what happens is that only DevConsoleCORSFilter is listening but it will delegate to a private CORSFilter instance to finalize. But when CORS is also explicitly enabled, both DevConsoleCORSFilter (with private CORSFilter) and an independent CORSFilter without any extra configuration is enabled and indeed I did expect #30757 to cover this case. But something is interfering, I’ll debug first thing tomorrow

+1
sberyozkin on Mar 1, 2023

I knew I should’ve said 99% 😃

+1
sberyozkin on Mar 1, 2023

@gastaldi oops… Sure, will check tomorrow, thanks for the investigation

+1
sberyozkin on Mar 1, 2023

@gastaldi I’m 100% sure #30757 will fix it, can you please retry against that PR ?

+1
sberyozkin on Mar 1, 2023
Read more comments on GitHub
← quarkus: Repeated @InterceptorBinding are ignored by arc-processor
quarkus: Response Body in ClientExceptionMapper is always null →