custom REST CORS header configuration is not applied to responses

[yolabingo]

Parent Issue

No response

Problem Statement

CORS header config changes are not working - the default headers remain unchanged.

Custom CORS header config like

        DOT_API_CORS_DEFAULT_ACCESS-CONTROL-ALLOW-CREDENTIALS: 'false'
        DOT_API_CORS_DEFAULT_ACCESS-CONTROL-ALLOW-ORIGIN: 'http://localhost'
        DOT_API_CORS_DEFAULT_ACCESS-CONTROL-ALLOW-METHODS: 'POST'

has no effect on the default headers

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: *

I found that setting global DEFAULT headers appeared to work on 5.3.8, but per-resource headers may not.

DOT_API_CORS_CONTENTRESOURCE_ACCESS-CONTROL-ALLOW-ORIGIN: 'http://example.com'

Steps to Reproduce

Fetch default headers
curl -ks -X OPTIONS --head http://127.0.0.1:8082/api/v1/contenttype | grep -i access-control

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: *

Add Docker environment variables such as

        DOT_API_CORS_DEFAULT_ACCESS-CONTROL-ALLOW-CREDENTIALS: 'false'
        DOT_API_CORS_DEFAULT_ACCESS-CONTROL-ALLOW-ORIGIN: 'http://localhost'
        DOT_API_CORS_DEFAULT_ACCESS-CONTROL-ALLOW-METHODS: 'POST'

Restart - dotCMS CORS header response does not change.

Acceptance Criteria

REST CORS headers should be configurable.

It would be nice extend this functionality as well, for example being able to support multiple Origin hosts.

dotCMS Version

LTS 21.06 22.03 23.01 and agile

It appears this worked, at least partially, in 5.3.8.

Proposed Objective

Core Features

Proposed Priority

Priority 2 - Important

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

No response

Sub-Tasks & Estimates

No response

[yolabingo]

Cloud support ticket https://dotcms.zendesk.com/agent/tickets/113022

[erickgonzalez]

Note To QA and Doc

Let's now add the properties like:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_CREDENTIALS

This means using an underscore instead of a hyphen.

[yolabingo]

A quick test looks good for DEFAULT - setting

        DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'false'
        DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_METHODS: 'PUT'
        DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: 'http://example.com/'

returns

Access-Control-Allow-Methods: PUT
Access-Control-Allow-Credentials: false
Access-Control-Allow-Origin: http://example.com/
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: *

I found that the example in the docs for a
Resource Specific Header does not appear to work - trying to set headers for "content" resource

        DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'false'
        DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_METHODS: 'PUT'
        DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_ORIGIN: 'http://example.com/'

does not change the default headers for
curl -ks --head -X OPTIONS http://localhost:8082/api/content

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: *

New ticket created for specific resources: #26503

[josemejias11]

Approved: Tested on master_39ca5c4_SNAPSHOT, Docker, macOS 13.0, FF v113.0