Invalid cors request on same-domain requests

[zlepper]

Thanks for raising a Spring Boot issue. What sort of issue are you raising?
Bug report

Spring boot version: 1.5.8

General issue description:
When a request is send from chrome using XMLHttpRequest, an origin header is added, which causes spring to report invalid CORS request, even though it's not actually a CORS request. See this SO question: https://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request

Adding the CrossOrigin annotation to the controller doesn't help.
You have to add something like this to your WebSecurity configuration:

    @Bean
    fun corsConfigurationSource(): CorsConfigurationSource {
        val source = UrlBasedCorsConfigurationSource()
        val conf = CorsConfiguration()
        conf.addAllowedHeader("*")
        conf.addAllowedMethod("*")
        conf.addAllowedOrigin("*")
        source.registerCorsConfiguration("/**", conf)
        return source
    }

In my opinion Spring shouldn't give a 403, just because an origin header is present, chrome adds it to all POST requests, not just the Preflight Request.

[wilkinsona]

Spring Framework's DefaultCorsProcessor will skip a request from the same origin. However, it's not clear from what you've described above if that code is definitely involved. Can you please provide a sample that reproduces the behaviour that you have described?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

[skitching-um]

Perhaps related to https://jira.spring.io/browse/SPR-16262?
The original post does not mention whether a proxy was used in front of the app, but does describe setting addAllowedOrigin("*") which would "work around" the issue (by effectively disabling CORS checks completely).

[zlepper]

That is indeed the case, we have traefik in front as a proxy.

[skitching-um]

Ah, and traefik is also a proxy which fails to add X-Forwarded-Port: traefik/traefik#1220
So this is indeed the same issue as SPR-16262.

[zlepper]

If I may be so currious as to ask: Why does spring even care about CORS, other than to tell the browser that it's alright to make the cors request? Isn't CORS only something the browser themselves really should care about?

[wilkinsona]

@zlepper No, CORS is a serverside concern too. If you have questions about CORS, please ask on Stack Overflow.