[MGNLREST-193] Need configurable preflight OPTIONS filter to avoid No 'Access-Control-Allow-Origin' header error Created: 24/Sep/18  Updated: 23/Oct/23  Resolved: 09/Nov/20

Status: Closed
Project: Magnolia REST Framework
Component/s: None
Affects Version/s: 2.1.1
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Viet Nguyen Assignee: Unassigned
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MAGNOLIA-7215 CORS & OPTIONS Pre-flight support Closed
causality
dependency
is depended upon by MGNLREST-258 Provide default CORS configuration Closed
duplicate
is duplicated by MGNLREST-81 CORS preflight requests are throwing ... Closed
supersession
is superseded by MAGNOLIA-7215 CORS & OPTIONS Pre-flight support Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Testcase included:
Yes
Date of First Response:
Epic Link: Headless Phase 2

 Description   

As a developer I want Magnolia to accept and correctly respond to CORS 'preflight' 'OPTIONS' requests so that I can actually achieve my headless CMS requirements including (but not limited to) pushing content to Magnolia.

Currently its not possible (or at least hard) to push content to Magnolia REST endpoints, or delete content, from within a browser as modern browsers enforce CORS security. Another customer mentioned "Outlook performs (don't know the exact reason) an OPTIONS call on the feed URL which is failing as Magnolia requests a login for the OPTIONS call. " There are surely other cases where OPTIONS headers are sent.

 To Reproduce issue

See instructions in Description of this ticket: https://jira.magnolia-cms.com/browse/MGNLREST-81

Acceptance Criteria:

  • When my app/website running in a browser makes a request to Magnolia endpoints and sends OPTIONS request, then Magnolia responds correctly to the browser, such that the browser can make the actual request.
  • As a developer I can configure how magnolia responds to OPTIONS requests.
  • Magnolia has a default configuration which accepts OPTIONS requests, or makes it very easy to configure, for example by setting one property in configution. For example it should be configured on this default CORS configuration: https://jira.magnolia-cms.com/browse/MGNLREST-258

We should provide a basic solution without delay. A further ticket could be created to add further sophistication.

 

Resources

Please see comments below and comments on linked ticket MGNLREST-81and Patch from amanzoni. https://git.magnolia-cms.com/projects/SERVICES/repos/rest/commits/0f42ac3ab288ee94116f772994056dbbb2516f60

 

CORS OPTIONS Details

https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS

 

Previous Description: (Still relevant)

Customers are facing blocking issue when using Angular 6 accessing HeadLess bundle because of below error:
XMLHttpRequest cannot load http://localhost:8080/mpl/.rest/mplWebsite/myphx/home. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 403.*
I've tried also and getting the same issue. Please find in ticket comment a temporarily filter, please fix it for configurable and production grade.



 Comments   
Comment by Viet Nguyen [ 24/Sep/18 ]

You can implement a filter like this and put it after "/server/filters/securityCallback"

public class HttpOptionsFilter extends AbstractMgnlFilter {

    public String bypassURIs = ""; // CSV list such as /optimum-webapp/.webdav,/optimum-webapp/webdav

    @Override
    public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        if ("OPTIONS".equals(request.getMethod())) {
            for (String bypass : bypassURIs.split(",")) {
                bypass = bypass.trim().replace(" ", "");
                if (StringUtils.isEmpty(bypass)) continue;
                if (request.getRequestURI().startsWith(bypass)) {
                    chain.doFilter(request, response);
                    return;
                }
            }
            String reqOrigin = request.getHeader("Origin");
            response.addHeader("Access-Control-Allow-Origin", reqOrigin);
            response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
            response.addHeader("Access-Control-Allow-Headers", "X-Custom-Header, X-PINGOTHER, Origin, X-Requested-With, Content-Type, Accept, Authorization, session-variable");
            response.addHeader("Access-Control-Allow-Credentials", "true");
            response.setStatus(200);
            // do not go any further chain.doFilter(request, response);
        } else {
            chain.doFilter(request, response);
        }
    }

}

Note that in above example, all OPTIONS preflight requests are accepted automatically. Please fix it as your need.

Comment by Simon Lutz [ 09/Nov/20 ]

Ships with 6.2.4: MAGNOLIA-7215

Generated at Mon Feb 12 06:57:33 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.