CORS not implemented properly in os-core-common ResponseHeaders class
There are several problems with the way these headers are set:
- Access-Control-Allow-Origin resolves to [*] which doesn’t work at all with front-end apps, it would need to resolve to * to work
- Even if Access-Control-Allow-Origin did resolve to *, it would be very insecure
- Similarly, Access-Control-Allow-Methods resolves to a list which also doesn’t work at all with front-end apps. It needs to resolve to a comma-delimited string
Without addressing these issues, efforts like the Admin UI will fail because it won’t be able to interact with the platform without proper CORS implementation in place.
- Set Access-Control-Allow-Origin header from environment variable
- Make Access-Control-Allow-Methods resolve correctly