Good morning devs, I hope you are doing well. I would like to have your opinion about the *APICorsFilter* in the *rest-api* plugin.
We are using that plugin in a custom version of OFBiz and we have had a little confusion due to a CORS error which prevented the correct calls of the services coming from the UI. Specifically from the Network tab of the browser we saw that the response header "Access-Control-Allow-Origin" never matched the "Origin" header. After a bit of research we noticed that the APICorsFilter class set the Access-Control-Allow-Origin searching a match among the values of the "host-headers-allowed" in security.property. Is not completely clear to us why is that, since that property should contain only domain names not full origins. So my question is: are there any specific reasons to read both, allowed domains and full origins, from that property? Wouldn't it be better to have a specific new property for the cors origin allowed only? Thanks in advance for sharing your thoughts on this. Giulio -- ------------ Giulio Speri Full Stack Web Developer *Mp Styl**e Srl* via Antonio Meucci, 37 41019 Limidi di Soliera (MO) T 059/684916 M 347/0965506 www.mpstyle.it
