Request rejected by CORS for fonts in dev UI when quarkus.http.cors=true is set
#31523
Labels
Milestone
Comments
gastaldi
added
area/user-experience
|
@gastaldi do you have the same issue with Dev UI 2? |
|
@gsmet I can confirm it happens with Dev UI 2 as well:
|
gastaldi
changed the title
quarkus.http.cors=true is set
|
Thanks @gastaldi Case of duplicate CORSFilter runnig alongside I have to admit I'm not sure how to fix it. |
|
Actually, I think I know which PR will fix it |
|
@sberyozkin sorry to disappoint you, but unfortunately it didn't work :( |
|
@gastaldi oops... Sure, will check tomorrow, thanks for the investigation |
|
I knew I should've said |
|
I was about to suggest exactly #30757 too as a way to fix it. could it be sameorigin is not being enabled for both devmode and the real one? |
|
In both cases CORS filter makes the decision, without explicitly enabling CORS as George did what happens is that only DevConsoleCORSFilter is listening but it will delegate to a private CORSFilter instance to finalize. But when CORS is also explicitly enabled, both DevConsoleCORSFilter (with private CORSFilter) and an independent CORSFilter without any extra configuration is enabled and indeed I did expect #30757 to cover this case. But something is interfering, I'll debug first thing tomorrow |
|
I'm testing on #30757 so far, Firefox, Chrome, with
|
|
New |
|
Right, you use curl, this command works too, I get some font downloaded, curl requested me to add |
|
Guillaume, Max, would you like to try it too for the extra coverage ? Clement, you mentioned you were seeing these 403, please check #30757 as well |
|
@sberyozkin you are 100% correct! 😄 I just tested and I confirm that it works with your changes. It's weird that it didn't work yesterday, it's possible that I might have made some mistakes while switching between Quarkus versions during the test, sorry for that 😅 |
|
Hey @gastaldi Np at all, workspace refresh issues are always happening, thanks for reporting the problem and confirming the fix, cheers |
benkard
added a commit
to benkard/mulkcms2
that referenced
this issue
Apr 4, 2023
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.201.0` -> `^0.203.0`](https://renovatebot.com/diffs/npm/flow-bin/0.201.0/0.203.1) | | [com.rometools:rome](http://rometools.com) ([source](https://github.com/rometools/rome)) | compile | minor | `2.0.0` -> `2.1.0` | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | minor | `42.5.4` -> `42.6.0` | | [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.34.0` -> `2.35.0` | | [org.apache.maven.plugins:maven-resources-plugin](https://maven.apache.org/plugins/) | build | patch | `3.3.0` -> `3.3.1` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.4.Final` -> `2.16.6.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.4.Final` -> `2.16.6.Final` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.203.1`](flow/flow-bin@0c16b26...5e0645d) [Compare Source](flow/flow-bin@0c16b26...5e0645d) ### [`v0.203.0`](flow/flow-bin@861f798...0c16b26) [Compare Source](flow/flow-bin@861f798...0c16b26) ### [`v0.202.1`](flow/flow-bin@2b48bba...861f798) [Compare Source](flow/flow-bin@2b48bba...861f798) ### [`v0.202.0`](flow/flow-bin@86aea9c...2b48bba) [Compare Source](flow/flow-bin@86aea9c...2b48bba) </details> <details> <summary>rometools/rome</summary> ### [`v2.1.0`](https://github.com/rometools/rome/releases/tag/2.1.0) [Compare Source](rometools/rome@2.0.0...2.1.0) <!-- Release notes generated using configuration in .github/release.yml at 2.1.0 --> #### What's Changed ##### ⭐ New Features - Downgrade Java from version 11 to 8 by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#642 - Add support for GraalVM native images by [@​artembilan](https://github.com/artembilan) in rometools/rome#636 ##### 🔨 Dependency Upgrades - Bump maven-compiler-plugin from 3.10.1 to 3.11.0 by [@​dependabot](https://github.com/dependabot) in rometools/rome#635 ##### 🧹 Cleanup - Remove unused config files by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#632 - Polish GitHub workflows by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#633 - Polish code by [@​antoniosanct](https://github.com/antoniosanct) in rometools/rome#631 ##### ✔ Other Changes - Update configuration for automatically generated release notes by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#634 #### New Contributors - [@​artembilan](https://github.com/artembilan) made their first contribution in rometools/rome#636 **Full Changelog**: rometools/rome@2.0.0...2.1.0 </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.6.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4260-2023-03-17-153434--0400) ##### Changed fix: use PhantomReferences instead of `Obejct.finalize()` to track Connection leaks [MR #​2847](pgjdbc/pgjdbc#2847) The change replaces all uses of Object.finalize with PhantomReferences. The leaked resources (Connections) are tracked in a helper thread that is active as long as there are connections in use. By default, the thread keeps running for 30 seconds after all the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property. refactor:(loom) replace the usages of synchronized with ReentrantLock [MR #​2635](pgjdbc/pgjdbc#2635) Fixes [Issue #​1951](pgjdbc/pgjdbc#1951) </details> <details> <summary>diffplug/spotless</summary> ### [`v2.35.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2350---2023-02-10) ##### Added - CleanThat Java Refactorer. ([#​1560](diffplug/spotless#1560)) - Introduce `LazyArgLogger` to allow for lazy evaluation of log messages in slf4j logging. ([#​1565](diffplug/spotless#1565)) ##### Fixed - Allow multiple instances of the same npm-based formatter to be used by separating their `node_modules` directories. ([#​1565](diffplug/spotless#1565)) - `ktfmt` default style uses correct continuation indent. ([#​1562](diffplug/spotless#1562)) ##### Changes - Bump default `ktfmt` version to latest `0.42` -> `0.43` ([#​1561](diffplug/spotless#1561)) - Bump default `jackson` version to latest `2.14.1` -> `2.14.2` ([#​1536](diffplug/spotless#1536)) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v2.16.6.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.6.Final) [Compare Source](quarkusio/quarkus@2.16.5.Final...2.16.6.Final) ##### Complete changelog - [#​32319](quarkusio/quarkus#32319) - \[2.16] Revert io.netty.noUnsafe change - [#​32302](quarkusio/quarkus#32302) - Qute - fix validation of expressions with the "cdi" namespace - [#​32253](quarkusio/quarkus#32253) - (2.16) Upgrade to graphql-java 19.4 - [#​32223](quarkusio/quarkus#32223) - (2.16) Upgrade wildfly-elytron to 1.20.3.Final - [#​32110](quarkusio/quarkus#32110) - Prevent splitting of cookie header values when using AWS Lambda - [#​32107](quarkusio/quarkus#32107) - Fix Podman detection on Windows - [#​32106](quarkusio/quarkus#32106) - Native building with container: Podman not detected on Windows - [#​32093](quarkusio/quarkus#32093) - Re-use current ApplicationModel for JaCoCo reports when testing Gradle projects - [#​32090](quarkusio/quarkus#32090) - K8s moved its registry - [#​32088](quarkusio/quarkus#32088) - Remove the session cookie if ID token verification failed - [#​32082](quarkusio/quarkus#32082) - Add missing quote in Hibernate Reactive with Panache guide - [#​32079](quarkusio/quarkus#32079) - Quarkus JaCoCo extension fails to start Gradle daemon - [#​32058](quarkusio/quarkus#32058) - Allow use of null in REST Client request body - [#​32047](quarkusio/quarkus#32047) - rest client reactive throws npe on null request body - [#​32041](quarkusio/quarkus#32041) - K8s is moving it's images - [#​32037](quarkusio/quarkus#32037) - Set-Cookie Header is Split when using OIDC together with AWS Lambda - [#​32015](quarkusio/quarkus#32015) - Support repeatable Incomings annotation for reactive messaging - [#​32002](quarkusio/quarkus#32002) - Quarkus: Kafka Event Processor with 2 `@incoming` annotations throws Null Pointer SRMSG00212 - [#​31984](quarkusio/quarkus#31984) - Only substitute OctetKeyPair\* classes when on the classpath - [#​31978](quarkusio/quarkus#31978) - Remove quarkus.hibernate-orm.database.generation=drop-and-create from Hibernate ORM codestart - [#​31930](quarkusio/quarkus#31930) - Native build fails for JWT - [#​31893](quarkusio/quarkus#31893) - Docker or Podman required for tests since 3.0.0.Alpha6 - [#​31857](quarkusio/quarkus#31857) - Container runtime detection cached in sys prop, container-docker extension - [#​31811](quarkusio/quarkus#31811) - Check the expiry date for inactive OIDC tokens - [#​31717](quarkusio/quarkus#31717) - Quarkus OIDC Session Cookie not deleted in case of 401 unauthorized - [#​31714](quarkusio/quarkus#31714) - OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore) - [#​31662](quarkusio/quarkus#31662) - Warning when docker is not running - [#​31525](quarkusio/quarkus#31525) - Bump Keycloak version to 21.0.1 - [#​31490](quarkusio/quarkus#31490) - Enable Podman and Docker Windows quarkus-container-image-docker testing - [#​31307](quarkusio/quarkus#31307) - Native Build on Windows has incorrect resource slashes - [#​30383](quarkusio/quarkus#30383) - Create a new base classloader including parent-first test scoped dependencies when bootstrapping for CT ### [`v2.16.5.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.5.Final) [Compare Source](quarkusio/quarkus@2.16.4.Final...2.16.5.Final) ##### Complete changelog - [#​31959](quarkusio/quarkus#31959) - New home for Narayana LRA coordinator Docker images - [#​31931](quarkusio/quarkus#31931) - Support raw collections in RESTEasy Reactive server and client - [#​31922](quarkusio/quarkus#31922) - Add more lenient Liquibase ZipPathHandler to work around includeAll not working in prod mode - [#​31904](quarkusio/quarkus#31904) - \[2.16] Upgrade SmallRye GraphQL to 1.9.4 - [#​31894](quarkusio/quarkus#31894) - Supply missing extension metadata for reactive keycloak client - [#​31891](quarkusio/quarkus#31891) - Fix truststore REST Client config when password is not set - [#​31867](quarkusio/quarkus#31867) - Qute type-safe fragments - fix validation for loop metadata and globals - [#​31866](quarkusio/quarkus#31866) - The behavior of the `@RestHeader` annotation is different from the `@HeaderParam` annotation when the parameter is of type List - [#​31864](quarkusio/quarkus#31864) - Fix incorrect generic type passed to MessageBodyWriter#writeTo - [#​31818](quarkusio/quarkus#31818) - Jackson JAX-RS YAML Provider for Resteasy Reactive - [#​31804](quarkusio/quarkus#31804) - \[2.16] A test to make sure non-existing modules are ignored during workspace discovery - [#​31793](quarkusio/quarkus#31793) - \[2.16] Fix NPE loading workspace modules - [#​31770](quarkusio/quarkus#31770) - Fix native compilation when using quarkus-jdbc-oracle with elasticsearch-java - [#​31769](quarkusio/quarkus#31769) - Capability added for quarkus-rest-client-reactive-jackson - [#​31756](quarkusio/quarkus#31756) - quarkus-rest-client-reactive-jackson doesn't provide capabilities - [#​31728](quarkusio/quarkus#31728) - Register additional cache implementations for reflection - [#​31718](quarkusio/quarkus#31718) - Properly close metadata file in integration tests - [#​31713](quarkusio/quarkus#31713) - "Too many open files" When test native image. - [#​31712](quarkusio/quarkus#31712) - Make request scoped beans work properly in ReaderInterceptors - [#​31705](quarkusio/quarkus#31705) - Remove all dev services for kubernetes dependencies from kubernetes-client-internal - [#​31692](quarkusio/quarkus#31692) - RequestScoped context not active when using a ReaderInterceptor with large HTTP requests - [#​31688](quarkusio/quarkus#31688) - Suppress config changed warning for quarkus.test.arg-line - [#​31643](quarkusio/quarkus#31643) - Fix iterator issue when executing a zrange with score on a missing key - [#​31626](quarkusio/quarkus#31626) - quarkus.test.arg-line has become a built-time fixed property in 2.16.4 - [#​31624](quarkusio/quarkus#31624) - native compilation : quarkus-jdbc-oracle with elasticsearch-java strange behaviour - [#​31617](quarkusio/quarkus#31617) - Bump Stork version 1.4.2 - [#​31579](quarkusio/quarkus#31579) - Reinitialize sun.security.pkcs11.P11Util at runtime - [#​31560](quarkusio/quarkus#31560) - Prevent SSE writing from potentially causing accumulation of headers - [#​31559](quarkusio/quarkus#31559) - `SseUtil` unexpectedly stores headers in `Serialisers.EMPTY_MULTI_MAP` - [#​31551](quarkusio/quarkus#31551) - Scheduler - detect scheduled methods of the same name on a class - [#​31547](quarkusio/quarkus#31547) - Scheduler - it's possible to declare two scheduled methods of the same name on the same class - [#​31545](quarkusio/quarkus#31545) - Append System.lineSeparator() to config error messages - [#​31536](quarkusio/quarkus#31536) - Missing newline characters in config error message - [#​31532](quarkusio/quarkus#31532) - Interpret negative/zero body-limit as infinite when logging REST Client request body - [#​31523](quarkusio/quarkus#31523) - Request rejected by CORS for fonts in dev UI when `quarkus.http.cors=true` is set - [#​31496](quarkusio/quarkus#31496) - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest - [#​31482](quarkusio/quarkus#31482) - Remove incorrect default value for keepAliveEnabled - [#​31440](quarkusio/quarkus#31440) - Several quarkus integration tests fail to compile to native with latest GraalVM master - [#​31384](quarkusio/quarkus#31384) - Ignore required documentation for `@ConfigMapping` default methods - [#​30757](quarkusio/quarkus#30757) - Allow same origin CORS requests without 3rd party origins being configured - [#​30744](quarkusio/quarkus#30744) - \[Quarkus Native] ClassNotFoundException: com.github.benmanes.caffeine.cache.SSSW - [#​30698](quarkusio/quarkus#30698) - CORS Request same origin ignored if no other origin set </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.16.6.Final`](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final) [Compare Source](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final) ### [`v2.16.5.Final`](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final) [Compare Source](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When
quarkus.http.cors=trueis set, navigating to the dev UI inhttp://localhost:8080/q/devfails while fetching the WOFF fonts withFailed to load resource: the server responded with a status of 403 (CORS Rejected - Invalid origin)in the browser (Chrome) console.Expected behavior
No errors and the icons are rendered properly in the Dev UI
Actual behavior
The fonts are not rendered and you can see the before mentioned error in the console logs
How to Reproduce?
quarkus create appquarkus.http.cors=trueto theapplication.propertiesHTTP/1.1 403 CORS Rejected - Invalid origininstead :Output of
uname -aorverDarwin MacBook-Pro-de-George 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64
Output of
java -versionopenjdk version "17.0.6" 2023-01-17 OpenJDK Runtime Environment GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13) OpenJDK 64-Bit Server VM GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13, mixed mode, sharing)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.16.3.Final
Build tool (ie. output of
mvnw --versionorgradlew --version)Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/ggastald/.sdkman/candidates/maven/current Java version: 17.0.6, vendor: GraalVM Community, runtime: /Users/ggastald/.sdkman/candidates/java/22.3.1.r17-grl Default locale: en_BR, platform encoding: UTF-8 OS name: "mac os x", version: "13.2.1", arch: "aarch64", family: "mac"
Additional information
No response
The text was updated successfully, but these errors were encountered: