Menu
I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.
My application.properties file has the following line (ref1 ref2).
endpoints.cors.allowed-origins=http://mydomain.io
My REST controller looks like the following.
@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
@Autowired
private CarService carService;
@GetMapping
public Car get() {
return carService.getLatest();
}
}
However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.
I also tried to change my annotation as follows, but that does not work.
@CrossOrigin("${endpoints.cors.allowed-origins}")
Any ideas on what I'm doing wrong?
Note that I am not using WebMvcConfigurerAdapter like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).
447
In order to fix CORS, you need to make sure that the API is sending proper headers (Access-Control-Allow-*). That's why it's not something you can fix in the UI, and that's why it only causes an issue in the browser and not via curl: because it's the browser that checks and eventually blocks the calls.
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
CORS (Cross-Origin Resource Sharing) is a system, consisting of transmitting HTTP headers, that determines whether browsers block frontend JavaScript code from accessing responses for cross-origin requests. The same-origin security policy forbids cross-origin access to resources.
However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.
CORS allowed-origins settings don’t cause servers to block requests.
And because the server isn’t blocking the request, that doesn’t prevent you from opening the URL directly in a browser.
The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to frontend JavaScript in web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…) or whatever to make cross-origin requests.
So CORS isn’t a way to cause servers to block requests. And so it also isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent any non-web-application tools like curl or Postman or whatever from accessing the URL.
126
Explicitly specifying the domain as string in @CrossOrigin("http://mydomain.io") will work. I dont' think this will work @CrossOrigin("${endpoints.cors.allowed-origins}").
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
