CORS not implemented properly in os-core-common ResponseHeaders class
Most of the Spring filters in our services set response headers from the ResponseHeaders class in os-core-common:
There are several problems with the way these headers are set:
- Access-Control-Allow-Origin resolves to [*] which doesn’t work at all with front-end apps, it would need to resolve to * to work
- Even if Access-Control-Allow-Origin did resolve to *, it would be very insecure
- Similarly, Access-Control-Allow-Methods resolves to a list which also doesn’t work at all with front-end apps. It needs to resolve to a comma-delimited string
Without addressing these issues, efforts like the Admin UI will fail because it won’t be able to interact with the platform without proper CORS implementation in place.
Proposed Resolution:
- Set Access-Control-Allow-Origin header from environment variable
- Make Access-Control-Allow-Methods resolve correctly