Support dynamic Access-Control-Allow-Origin based on Origin HTTP request header [SPR-13511]

[spring-projects-issues]

Hendy Irawan opened SPR-13511 and commented

Spring 4.2 has CORS support, however allowed Origin(s) must be set manually. Which is problematic when combined with authentication, because authentication not supported with Access-Control-Allow-Origin: *.

Please allow to make this set automatically. Very useful for Ionic/Cordova clients.

i.e. if client sends Origin: assets-library://whatever/ then server will send Access-Control-Allow-Origin: assets-library://whatever/

---

Affects: 4.2.1

Reference URL: http://stackoverflow.com/q/32797633/122441

[spring-projects-issues]

Sébastien Deleuze commented

This use case should already be supported. Spring 4.2 should respond with the requested origin instead of * when allow credentials is set to true, as implemented here. And since the default configuration is allow origin(s) set to * and allow credentials set to true it should work out of the box if you use @CrossOrigin or Cors javaConfig.

Could you give us more details about how to reproduce this issue, maybe with a small repoduction project created with start.spring.io (please select Spring Boot 1.3.0 M5)?

[spring-projects-issues]

Hendy Irawan commented

Thanks. Please mark this as Invalid. Explanation:

By "default" of Spring Boot, Spring 4.2 does support my described scenario when using @CrossOrigin or addCorsMappings().

What's not default, is by using Sébastien's technique described here (I've since updated the answer). Care must be taken to:

config.setAllowCredentials(true);

because the real default of CorsConfiguration is it's null which is treated as false.

[spring-projects-issues]

Sébastien Deleuze commented

Thanks for the update. Indeed, CorsConfiguration default values are non opinionated, while @Crossorigin and JavaConfig (CorsRegistry/CorsRegistration) are.