[MGNLREST-193] Need configurable preflight OPTIONS filter to avoid No 'Access-Control-Allow-Origin' header error Created: 24/Sep/18 Updated: 23/Oct/23 Resolved: 09/Nov/20 |
|
| Status: | Closed |
| Project: | Magnolia REST Framework |
| Component/s: | None |
| Affects Version/s: | 2.1.1 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Viet Nguyen | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||||||||||||||
| Testcase included: |
Yes
|
||||||||||||||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||||||||||||||
| Epic Link: | Headless Phase 2 | ||||||||||||||||||||||||||||||||||||
| Description |
|
As a developer I want Magnolia to accept and correctly respond to CORS 'preflight' 'OPTIONS' requests so that I can actually achieve my headless CMS requirements including (but not limited to) pushing content to Magnolia. Currently its not possible (or at least hard) to push content to Magnolia REST endpoints, or delete content, from within a browser as modern browsers enforce CORS security. Another customer mentioned "Outlook performs (don't know the exact reason) an OPTIONS call on the feed URL which is failing as Magnolia requests a login for the OPTIONS call. " There are surely other cases where OPTIONS headers are sent. To Reproduce issue See instructions in Description of this ticket: https://jira.magnolia-cms.com/browse/MGNLREST-81 Acceptance Criteria:
We should provide a basic solution without delay. A further ticket could be created to add further sophistication.
Resources Please see comments below and comments on linked ticket
CORS OPTIONS Details https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
Previous Description: (Still relevant) Customers are facing blocking issue when using Angular 6 accessing HeadLess bundle because of below error: |
| Comments |
| Comment by Viet Nguyen [ 24/Sep/18 ] |
|
You can implement a filter like this and put it after "/server/filters/securityCallback" public class HttpOptionsFilter extends AbstractMgnlFilter { public String bypassURIs = ""; // CSV list such as /optimum-webapp/.webdav,/optimum-webapp/webdav @Override public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { if ("OPTIONS".equals(request.getMethod())) { for (String bypass : bypassURIs.split(",")) { bypass = bypass.trim().replace(" ", ""); if (StringUtils.isEmpty(bypass)) continue; if (request.getRequestURI().startsWith(bypass)) { chain.doFilter(request, response); return; } } String reqOrigin = request.getHeader("Origin"); response.addHeader("Access-Control-Allow-Origin", reqOrigin); response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD"); response.addHeader("Access-Control-Allow-Headers", "X-Custom-Header, X-PINGOTHER, Origin, X-Requested-With, Content-Type, Accept, Authorization, session-variable"); response.addHeader("Access-Control-Allow-Credentials", "true"); response.setStatus(200); // do not go any further chain.doFilter(request, response); } else { chain.doFilter(request, response); } } } Note that in above example, all OPTIONS preflight requests are accepted automatically. Please fix it as your need. |
| Comment by Simon Lutz [ 09/Nov/20 ] |
|
Ships with 6.2.4: |