Skip to content

guide cors support

Jump to bottom
devonfw-core edited this page Jul 20, 2021 · 1 revision

CORS support

When you are developing Javascript client and server application separately, you have to deal with cross domain issues. We have to request from a origin domain distinct to target domain and browser does not allow this.

So , we need to prepare server side to accept request from other domains. We need to cover the following points:

  • Accept request from other domains.

  • Accept devonfw used headers like X-CSRF-TOKEN or correlationId.

  • Be prepared to receive secured request (cookies).

It is important to note that if you are using security in your request (sending cookies) you have to set withCredentials flag to true in your client side request and deal with special IE8 characteristics.

Configuring CORS support

Quarkus comes with a CORS filter which implements the javax.servlet.Filter interface and intercepts all incoming HTTP requests. It can be enabled in the Quarkus configuration file, src/main/resources/application.properties: 

quarkus.http.cors=true

Configuration with quarkus

Here’s an example of a full CORS filter configuration, including a regular expression defining an allowed origin:

# enable cors filter
quarkus.http.cors=true
# configurations cors
quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\.app\\.mydomain\\.com/
quarkus.http.cors.methods=OPTIONS,HEAD,GET,PUT,POST,DELETE,PATCH
quarkus.http.cors.headers=X-Custom
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true
Attribute Default Description HTTP Header

quarkus.http.cors.access-control-allow-credentials

-

Boolean value to tell the browsers to expose the response to front-end JavaScript code when the request’s credentials mode Request.credentials is “include”

Access-Control-Allow-Credentials

quarkus.http.cors.origins

*

The comma-separated list of origins allowed for CORS. Values starting and ending with '/'' will be treated as regular expressions. The filter allows any origin if this is not set or set to '*'.

Access-Control-Allow-Origin

quarkus.http.cors.methods

*

The comma-separated list of HTTP methods allowed for CORS. The filter allows any method if this is not set or set to '*'.

Access-Control-Allow-Methods

quarkus.http.cors.headers

*

The comma-separated list of HTTP headers allowed for CORS. The filter allows any header if this is not set or set to '*'.

Access-Control-Allow-Headers

quarkus.http.cors.exposed-headers

*

The comma-separated list of HTTP headers exposed in CORS. The filter allows any headers to be exposed if this is not set or set to '*'.

Access-Control-Expose-Headers

quarkus.http.cors.access-control-max-age

-

The duration (see note below) indicating how long the results of a pre-flight request can be cached.

Access-Control-Max-Age

Configuration with service mesh

Alternatively, if you use service mesh, you can also define your CORS policy directly there. Here is an example from istio

More information about the CORS headers can be found here

Creative Commons License Agreement
This documentation is licensed under the Creative Commons License (Attribution-NoDerivatives 4.0 International).

Clone this wiki locally