Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.x CORS is active even if not configured and not explicitly added programmatically #7990

Closed
tjquinno opened this issue Nov 10, 2023 · 0 comments · Fixed by #8038
Closed

4.x CORS is active even if not configured and not explicitly added programmatically #7990

tjquinno opened this issue Nov 10, 2023 · 0 comments · Fixed by #8038
Assignees
@tjquinno
Labels
4.x Version 4.x bug Something isn't working webserver
Milestone
4.0.1

Comments

@tjquinno
Copy link
Member

tjquinno commented Nov 10, 2023
edited
Loading

Environment Details

  • Helidon Version: 4.0.0
  • Helidon SE or Helidon MP
  • JDK version:
  • OS:
  • Docker version (if applicable):

Problem Description

Helidon's CORS processing responds to CORS requests even if there is no cors configuration and even if CORS is not set up programmatically.

NOTE: This is not an issue in the CORS code itself but rather, apparently, in how the server discovers and activates CORS.

This is a major change in behavior from Helidon 3.

Previously, if the user did not explicitly configure CORS (or programmatically add CORS support to an SE app) then Helidon's CORS processing was never invoked.

By contrast, in Helidon 4 a request with CORS headers is processed by Helidon's CORS implementation by default, without cors configuration or explicit code adding CORS support.

Further, the CORS processing uses default CORS settings which are permissive.

Running mvn dependency:tree on the SE QuickStart app shows that the health observer brings in helidon-webserver-observe which brings in CORS. (Same for the metrics observer if you comment out the health dependencies from the pom.xml file.)

Steps to reproduce

  1. With the Helidon 3 SE QuickStart app:
    1. Build and run the app.
    2. Submit the following request: curl -i -X GET -H "Origin: http://foo.com" -H "Host: here.com" http://localhost:8080/greet
    3. The output includes no CORS headers.
  2. Do the same with the Helidon 4 SE QuickStart app:
    1. Build it and run it.
    2. Submit the same request as above.
    3. Note the CORS headers in the returned response.
@tjquinno tjquinno added bug Something isn't working webserver 4.x Version 4.x labels Nov 10, 2023
@tjquinno tjquinno self-assigned this Nov 17, 2023
@tjquinno tjquinno mentioned this issue Nov 20, 2023
Merged
@barchetta barchetta added this to the 4.0.1 milestone Nov 20, 2023
@tjquinno tjquinno mentioned this issue Apr 20, 2024
Open
@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Closed in Backlog Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tjquinno tjquinno

Labels
4.x Version 4.x bug Something isn't working webserver
Projects
Backlog
Archived in project
Milestone
4.0.1
Development

Successfully merging a pull request may close this issue.

Change CorsConfig.enabled to optional and add logic to infer it tjquinno/helidon
2 participants
@barchetta @tjquinno