Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CORS wildcard headers #44651

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow CORS wildcard headers #44651

wants to merge 1 commit into from
+40 −3

Conversation

StaticBR
Copy link

Currently it is not possible to set wildcard header values for some CORS Headers.

This bug concerns:

All of which can, according to the specs set to "*".
Setting this value in the quarkus properies, results in quarkus not setting the header field. This is not correct, since the default values are not "*".

This PR fixes this behavior.

@StaticBR
Allow CORS wildcard headers
c1e5c37 
According to spec all 3 headers can be set to wildcard "*".
@sberyozkin
Copy link
Member

@StaticBR Can you clarify please why is it necessary ?

Quarkus would set Access-Control-Allow-Headers and Access-Control-Allow-Methods to concrete values. In your test, there are no Access-Control-Requst-Headers and Access-Control-Request-Methods.

As far as Access-Control-Exposed-Headers is concerned, it really requires a user to think and make a decision which headers should be exposable to Java scripts.

@StaticBR
Copy link
Author

@sberyozkin
I try to explain where I am coming from:
I wanted to set the Access-Control-Expose-Headers to * in quarkus.
So i set the configuration property: quarkus.http.cors.exposed-headers=*
Which resulted in no change at all. So i searched why this configuration is not working ... which resulted in this PR.

I think that if a Developer explicitly set a configuration property to *, which is a valid value. This is what the header should be set to.

To your points:

Quarkus would set 'Access-Control-Allow-Headers' and 'Access-Control-Allow-Methods' to concrete values.

This is a suitable default. But if the config property is set, why use the default?

In your test, there are no Access-Control-Requst-Headers and Access-Control-Request-Methods.

Sorry i do not understand what you mean by that. These headers are in the test case.

As far as Access-Control-Exposed-Headers is concerned, it really requires a user to think and make a decision which headers should be exposable to Java scripts.

Yes, and if my decision is to expose all headers for an origin, I have currently no possibility to set this via the configuration property.

@sberyozkin
Copy link
Member

@StaticBR

In your test, there are no Access-Control-Requst-Headers and Access-Control-Request-Methods.

Sorry i do not understand what you mean by that. These headers are in the test case.

Your test case has *Allow* variations in the response, but not input headers, like Access-Control-Request-Headers

which is when

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

is expected to be returned: This header is required if the preflight request contains [Access-Control-Request-Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers).

@StaticBR
Copy link
Author

StaticBR commented Nov 23, 2024
edited
Loading

@sberyozkin
Okay, now I'm more confused. I just changed the preprocessing of the configuration property. So this change is what the test case verifies.
I did not alter under which circumstances the header is returned. So i assume this is already checked by another test.

Long story short:
What do you need, so you will be able to merge this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/vertx
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@StaticBR @sberyozkin