GH-10988: Align HTTP Cross-Origin with Spring MVC#11003
Merged
Conversation
Fixes: spring-projects#10988 The Spring MVC comes with `allowedOrigins` as empty list and `allowCredentials` as `false` by default. In addition, Spring MVC provides now a flexible `allowedOriginPatterns` * Fix HTTP and WebFlux module to handle the required by Spring MVC defaults for `CrossOrigin` configuration **Auto-cherry-pick to `7.0.x` & `6.5.x`**
cppwfs
requested changes
May 18, 2026
Contributor
cppwfs
left a comment
cppwfs
left a comment
There was a problem hiding this comment.
Looks great!
Just a question and a small doc hiccup.
| The default value is `pass:[*]`. | ||
| The default value is empty. | ||
| * `origin-patterns`: List of allowed origin patterns. | ||
| Alternative list to `origin` that supports more flexible |
Contributor
There was a problem hiding this comment.
132 and 133 can be on the same line.
Member
Author
There was a problem hiding this comment.
Yeah... Copy/paste artifact from Javadocs :shame_on_me:
|
|
||
| Starting with version 4.2, you can configure the `<http:inbound-channel-adapter>` and `<http:inbound-gateway>` with a `<cross-origin>` element. | ||
| It represents the same options as Spring MVC's `@CrossOrigin` for `@Controller` annotations and allows the configuration of cross-origin resource sharing (CORS) for Spring Integration HTTP endpoints: | ||
| It represents the same options as Spring MVC `@CrossOrigin` for `@Controller` annotations and allows the configuration of cross-origin resource sharing (CORS) for Spring Integration HTTP endpoints: |
Contributor
There was a problem hiding this comment.
Do we need to add this to the What's new doc as well, since this is a breaking change?
Member
Author
There was a problem hiding this comment.
No, we do not.
This is going to be back-ported down to 6.5.x.
And this is essentially a fix for already not working code.
To make it working you have to change those defaults.
Therefore everyone who uses this feature already covered, otherwise it would fail for them with those defaults rejected by clients.
Contributor
There was a problem hiding this comment.
Makes sense. Just had to ask the question.
spring-builds
pushed a commit
that referenced
this pull request
May 19, 2026
* GH-10988: Align HTTP Cross-Origin with Spring MVC Fixes: #10988 The Spring MVC comes with `allowedOrigins` as empty list and `allowCredentials` as `false` by default. In addition, Spring MVC provides now a flexible `allowedOriginPatterns` * Fix HTTP and WebFlux module to handle the required by Spring MVC defaults for `CrossOrigin` configuration * Fix `http/namespace.adoc` for `One Sentence per Line` (cherry picked from commit d8e2c89)
spring-builds
pushed a commit
that referenced
this pull request
May 19, 2026
* GH-10988: Align HTTP Cross-Origin with Spring MVC Fixes: #10988 The Spring MVC comes with `allowedOrigins` as empty list and `allowCredentials` as `false` by default. In addition, Spring MVC provides now a flexible `allowedOriginPatterns` * Fix HTTP and WebFlux module to handle the required by Spring MVC defaults for `CrossOrigin` configuration * Fix `http/namespace.adoc` for `One Sentence per Line` (cherry picked from commit d8e2c89)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #10988
The Spring MVC comes with
allowedOriginsas empty list andallowCredentialsasfalseby default.In addition, Spring MVC provides now a flexible
allowedOriginPatternsCrossOriginconfigurationAuto-cherry-pick to
7.0.x&6.5.x