Describe the issue
The Wheels 3.x global setting set(allowCorsRequests=true) is still honored in 4.0 — the framework checks it in vendor/wheels/Global.cfc (around line 3536), defaults it to false in vendor/wheels/events/init/security.cfm line 17, and has dedicated tests under vendor/wheels/tests/specs/dispatch/setCorsHeadersSpec.cfc and corsSecurityDefaultsSpec.cfc.
But the 3.x → 4.0 upgrade guide item 1 (CORS default flips from wildcard to deny-all) and the CHANGELOG #2039 only describe the new wheels.middleware.Cors middleware.
3.x apps that use the global setting (titan does) have no documented:
- Confirmation that the old global setting still works
- Comparison of when to use the old setting vs the new middleware
- Migration path from the global setting to the middleware
- Precedence order when both are configured
Why this matters
Real-world 3.x apps configured CORS via set(allowCorsRequests=true) and the accessControlAllow* family of settings — not via the middleware. After upgrading to 4.0, they will either:
- Assume the upgrade guide's middleware changes apply to them and refactor unnecessarily, OR
- Assume the changes don't apply and not realize the new middleware exists at all (and miss out on the per-route configurability + secure default it provides)
Neither outcome is good.
Suggested fix
Add a short section to the canonical 3.x → 4.0 guide under the CORS breaker (or as a new "CORS — two paths in 4.0" section) covering:
- The old global
set(allowCorsRequests=true) and set(accessControlAllow*) family of settings is still honored. No migration required for apps that only use these.
- The new
wheels.middleware.Cors is a separate, more configurable path with deny-all default and per-route scoping.
- Both paths can be active simultaneously — document the precedence (does the middleware run before or after the global setting's header emission? Both? Neither overrides the other?).
- Recommendation: new code should use the middleware; existing global-setting configs are fine to leave during the upgrade window.
Environment
- Wheels: 4.0.0-SNAPSHOT+1779
🤖 Filed by Claude Code while assisting with a 4.0 upgrade testbed
Describe the issue
The Wheels 3.x global setting
set(allowCorsRequests=true)is still honored in 4.0 — the framework checks it invendor/wheels/Global.cfc(around line 3536), defaults it tofalseinvendor/wheels/events/init/security.cfmline 17, and has dedicated tests undervendor/wheels/tests/specs/dispatch/setCorsHeadersSpec.cfcandcorsSecurityDefaultsSpec.cfc.But the 3.x → 4.0 upgrade guide item 1 (CORS default flips from wildcard to deny-all) and the CHANGELOG #2039 only describe the new
wheels.middleware.Corsmiddleware.3.x apps that use the global setting (titan does) have no documented:
Why this matters
Real-world 3.x apps configured CORS via
set(allowCorsRequests=true)and theaccessControlAllow*family of settings — not via the middleware. After upgrading to 4.0, they will either:Neither outcome is good.
Suggested fix
Add a short section to the canonical 3.x → 4.0 guide under the CORS breaker (or as a new "CORS — two paths in 4.0" section) covering:
set(allowCorsRequests=true)andset(accessControlAllow*)family of settings is still honored. No migration required for apps that only use these.wheels.middleware.Corsis a separate, more configurable path with deny-all default and per-route scoping.Environment
🤖 Filed by Claude Code while assisting with a 4.0 upgrade testbed