[MAGNOLIA-7215] CORS & OPTIONS Pre-flight support Created: 05/Dec/17  Updated: 23/Oct/23  Resolved: 03/Nov/20

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 6.2.4

Type: Improvement Priority: Neutral
Reporter: Roman Kovařík Assignee: Jaroslav Simak
Resolution: Fixed Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MULTISITE-81 URISecurityFilter doesn't support HTT... Open
Problem/Incident
Relates
relates to MGNLREST-81 CORS preflight requests are throwing ... Closed
relates to MGNLREST-193 Need configurable preflight OPTIONS f... Closed
causality
dependency
is depended upon by MGNLSITE-101 Support CORS configuration for Sites Closed
relation
is related to MGNLREST-282 PUT and DELETE methods are not added ... Closed
is related to MAGNOLIA-7096 Add OPTIONS to default allow list of ... Closed
is related to MGNLDEMO-350 Migrate demo CORS configuration to th... Closed
supersession
supersedes MGNLREST-269 Make CORS easier to Configure Closed
supersedes MGNLREST-193 Need configurable preflight OPTIONS f... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Documentation update required:
Yes
Date of First Response:
Epic Link: Headless Phase 2
Sprint: HL & LD 14, HL & LD 15
Story Points: 13

 Description   

Implement full support for the CORS (including OPTIONS Pre-flight) according to the [MEP|https://git.magnolia-cms.com/projects/INTERNAL/repos/mep/pull-requests/13/overview.]



 Comments   
Comment by Christopher Zimmermann [ 19/Feb/18 ]

What are the implications of this?
Can CORS not be configured?

Comment by Siegried Zach [ 02/May/18 ]

We came to one situation where the OPTIONS call is needed: 

If you program a RSS Feed inside Magnolia and want to import the feed URL to Microsoft Outlook, this is failing. Outlook performs (don't know the exact reason) an OPTIONS call on the feed URL which is failing as Magnolia requests a login for the OPTIONS call. 

Comment by Viet Nguyen [ 06/Jul/18 ]

I had the same issue when developing a new Angular 6 prototype which calling PUT method on REST API.
How to fix it here: https://www.html5rocks.com/en/tutorials/cors/
A temporarily work around is to develop a new filter and put it above '/server/filters/csrfSecurity' using below code - please fix it for production ready stage:

public class HttpOptionsFilter extends AbstractMgnlFilter {

    @Override
    public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        if ("OPTIONS".equals(request.getMethod())) {
            String reqOrigin = request.getHeader("Origin");
            response.addHeader("Access-Control-Allow-Origin", reqOrigin);
            response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
            response.addHeader("Access-Control-Allow-Headers", "X-Custom-Header, X-PINGOTHER, Origin, X-Requested-With, Content-Type, Accept, Authorization, session-variable");
            response.addHeader("Access-Control-Allow-Credentials", "true");
            response.setStatus(200);
            // do not go any further chain.doFilter(request, response);
        } else {
            chain.doFilter(request, response);
        }
    }

}
Generated at Mon Feb 12 04:21:48 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.