Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CORS Preflight responses missing `Access-Control-Request-Headers`
See original GitHub issueDescribe the bug
I am unable to find the right setting to automatically set the Access-Control-Request-Headers in the Preflight/Options response. I tried using the setting quarkus.http.cors.headers by yaml config but that doesn’t produce any header response on the OPTIONS endpoints (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#preflighted_requests_in_cors).
Wildcards aren’t valid anymore.
Expected behavior
Quarkus generates all valid headers Access-Control-Request-Headers e.g. from the config quarkus.http.cors.headers and outputs this to the OPTION response.
Example
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.example
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
Actual behavior
Access-Control-Request-Headers are missing
my request:
OPTIONS /users/login HTTP/1.1
Host: localhost:8081
User-Agent: insomnia/2021.2.2
Content-Type: application/json
Access-Control-Request-Headers: content-type
Accept: */*
Content-Length: 0
my current response
HTTP/1.1 200 OK
Content-Length: 24
Access-Control-Allow-Origin: *
Allow: HEAD, POST, GET, OPTIONS
Content-Type: text/plain;charset=UTF-8
Fronend/Browser blocks the request ccess to XMLHttpRequest at 'http://localhost:8081/users/login' from origin 'http://localhost:8080' has been blocked by CORS policy
My config:
quarkus:
http:
access-log:
enabled: true
cors:
~: true
origins: "*"
methods: "POST, GET, PUT, OPTIONS, DELETE"
headers: "accept, origin, authorization, content-type, Content-Type, x-requested-with, access-control-request-headers"
exposed-headers: "accept, origin, authorization, content-type, Content-Type, x-requested-with, access-control-request-headers"
To Reproduce
### Screenshots
(If applicable, add screenshots to help explain your problem.)
## Environment (please complete the following information):
### Output of `uname -a` or `ver`
### Output of `java -version`
### GraalVM version (if different from Java)
### Quarkus version or git rev
### Build tool (ie. output of `mvnw --version` or `gradlew --version`)
## Additional context
(Add any other context about the problem here.)
Issue Analytics
- State:
- Created 2 years ago
- Comments:13 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Just wanted to confirm that I’m still seeing this issue with quarkus 2.5.0.Final. The browser requests “Access-Control-Request-Headers: content-type,x-build”, quarkus responds with “access-control-allow-headers: content-type” only, despite having set “quarkus.http.cors=true” in the application config.
I’m seeing the same issue. However, the issue only seems to occur when compiling to a native image. When running in dev mode (JRE based) CORS is working fine. I’m also using a custom CORS filter a workaround now.