Good morning Anahita, thank you for submitting the PRs. When I first looked at the code of that filter I was thinking exactly at the same modification you probably did. I'll review them as soon as possible and I'll give you feedback.
Thanks! :) Giulio Il giorno gio 26 mar 2026 alle ore 20:44 Anahita Goljahani < [email protected]> ha scritto: > Hi Giulio 🙂, > > I have checked the code and I think you are absolutely right. > > I have submitted two pull requests > > - #1034 for framework ( > https://github.com/apache/ofbiz-framework/pull/1034) > - #170 for plugins (https://github.com/apache/ofbiz-plugins/pull/170) > > that should address the issue by > > - introducing the new property cors.origins.allowed in > security.properties, so that the list of allowed origins can be > specified (framework); > - adding the new method getCorsOriginsAllowed() to UtilMisc to > retrieve the list of allowed origins from cors.origins.allowed > (framework); > - modifying the APICorsFilter class to correctly compare the Origin > header of the request with the list of allowed origins and to populate > the Access-Control-Allow-Origin response header based on the matching > result (plugins). > > Could you please check whether this fixes work in your case? > > Thank you > > Anahita > > Il giorno lun 23 mar 2026 alle ore 10:19 Giulio Speri - MpStyle Srl > <[email protected]> ha scritto: > > > > Good morning devs, > > > > I hope you are doing well. > > I would like to have your opinion about the *APICorsFilter* in the > > *rest-api* plugin. > > > > We are using that plugin in a custom version of OFBiz and we have had a > > little confusion due to a CORS error which prevented the correct calls of > > the services coming from the UI. > > Specifically from the Network tab of the browser we saw that the response > > header "Access-Control-Allow-Origin" never matched the "Origin" header. > > > > After a bit of research we noticed that the APICorsFilter class set > > the Access-Control-Allow-Origin searching a match among the values of the > > "host-headers-allowed" in security.property. > > Is not completely clear to us why is that, since that property should > > contain only domain names not full origins. > > > > So my question is: are there any specific reasons to read both, allowed > > domains and full origins, from that property? > > Wouldn't it be better to have a specific new property for the cors origin > > allowed only? > > > > Thanks in advance for sharing your thoughts on this. > > > > Giulio > > > > > > -- > > ------------ > > Giulio Speri > > Full Stack Web Developer > > > > > > > > *Mp Styl**e Srl* > > via Antonio Meucci, 37 > > 41019 Limidi di Soliera (MO) > > T 059/684916 > > M 347/0965506 > > > > www.mpstyle.it > -- ------------ Giulio Speri Full Stack Web Developer *Mp Styl**e Srl* via Antonio Meucci, 37 41019 Limidi di Soliera (MO) T 059/684916 M 347/0965506 www.mpstyle.it
