[MAGNOLIA-8589] CorsResponseFilter failure when Access-Control-Request-Headers has multiple values Created: 07/Oct/22  Updated: 25/Oct/23  Resolved: 04/Oct/23

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.2.25
Fix Version/s: 6.3.0, 6.2.40

Type: Bug Priority: Neutral
Reporter: Roberto Gaona Assignee: Anh Vu
Resolution: Fixed Votes: 1
Labels: None
Σ Remaining Estimate: 0d Remaining Estimate: 0d
Σ Time Spent: 3d 3h Time Spent: 3d 1h
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
causality
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MAGNOLIA-9120 Implement Sub-task Closed Anh Vu  
MAGNOLIA-9121 Review Sub-task Closed Dai Ha  
MAGNOLIA-9122 piQA Sub-task Closed Canh Nguyen  
MAGNOLIA-9123 QA Sub-task Closed Oanh Thai Hoang  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Date of First Response:
Epic Link: Support
Sprint: DevX 47
Story Points: 2
Team: DeveloperX
Work Started:
Approved:
Yes

 Description   

Steps to reproduce

  1. Configure on site level some CORS configuration to allow multiple header values. 
  2. Perform a REST call setting a multi-valued header "Access-Control-Request-Headers" with some of the previous values.

Expected results

The call is executed without complications, depending on the headers being allowed or not.

Actual results

If the header is multivalued, the following error is always thrown: 
CORS failed due to: Some of the request headers [x-pingother,x-requested-with] are not allowed

Workaround

At the moment, it seems like setting the header "Access-Control-Request-Headers" once for each wanted value, allows the filter to work.

Development notes

The issue seems to be on the areHeadersAllowed method from the CorsResponseFilter class.

The final Set<String> requestHeaders parameter of the areHeadersAllowed method should also be able to contain multivalued headers.



 Comments   
Comment by Jochen Klein [ 22/Sep/23 ]

The problem is more likely here https://git.magnolia-cms.com/projects/PLATFORM/repos/main.pub/browse/magnolia-core/src/main/java/info/magnolia/cors/CorsResponseFilter.java#129 when reading the headers values.
The values from the header need to be split by ',' and all values need to be added to the result

Generated at Mon Feb 12 04:34:03 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.