Hi Anahita, I reviewed the PRs and I can confirm that those modifications are what I had also in mind and that would fix the CORS handling by that filter.
Il giorno ven 27 mar 2026 alle ore 09:19 Giulio Speri - MpStyle Srl < [email protected]> ha scritto: > Good morning Anahita, > > thank you for submitting the PRs. > When I first looked at the code of that filter I was thinking exactly at > the same modification you probably did. I'll review them as soon as > possible and I'll give you feedback. > > Thanks! :) > Giulio > > Il giorno gio 26 mar 2026 alle ore 20:44 Anahita Goljahani < > [email protected]> ha scritto: > >> Hi Giulio 🙂, >> >> I have checked the code and I think you are absolutely right. >> >> I have submitted two pull requests >> >> - #1034 for framework ( >> https://github.com/apache/ofbiz-framework/pull/1034) >> - #170 for plugins (https://github.com/apache/ofbiz-plugins/pull/170) >> >> that should address the issue by >> >> - introducing the new property cors.origins.allowed in >> security.properties, so that the list of allowed origins can be >> specified (framework); >> - adding the new method getCorsOriginsAllowed() to UtilMisc to >> retrieve the list of allowed origins from cors.origins.allowed >> (framework); >> - modifying the APICorsFilter class to correctly compare the Origin >> header of the request with the list of allowed origins and to populate >> the Access-Control-Allow-Origin response header based on the matching >> result (plugins). >> >> Could you please check whether this fixes work in your case? >> >> Thank you >> >> Anahita >> >> Il giorno lun 23 mar 2026 alle ore 10:19 Giulio Speri - MpStyle Srl >> <[email protected]> ha scritto: >> > >> > Good morning devs, >> > >> > I hope you are doing well. >> > I would like to have your opinion about the *APICorsFilter* in the >> > *rest-api* plugin. >> > >> > We are using that plugin in a custom version of OFBiz and we have had a >> > little confusion due to a CORS error which prevented the correct calls >> of >> > the services coming from the UI. >> > Specifically from the Network tab of the browser we saw that the >> response >> > header "Access-Control-Allow-Origin" never matched the "Origin" header. >> > >> > After a bit of research we noticed that the APICorsFilter class set >> > the Access-Control-Allow-Origin searching a match among the values of >> the >> > "host-headers-allowed" in security.property. >> > Is not completely clear to us why is that, since that property should >> > contain only domain names not full origins. >> > >> > So my question is: are there any specific reasons to read both, allowed >> > domains and full origins, from that property? >> > Wouldn't it be better to have a specific new property for the cors >> origin >> > allowed only? >> > >> > Thanks in advance for sharing your thoughts on this. >> > >> > Giulio >> > >> > >> > -- >> > ------------ >> > Giulio Speri >> > Full Stack Web Developer >> > >> > >> > >> > *Mp Styl**e Srl* >> > via Antonio Meucci, 37 >> > 41019 Limidi di Soliera (MO) >> > T 059/684916 >> > M 347/0965506 >> > >> > www.mpstyle.it >> > > > -- > ------------ > Giulio Speri > Full Stack Web Developer > > > > *Mp Styl**e Srl* > via Antonio Meucci, 37 > 41019 Limidi di Soliera (MO) > T 059/684916 > M 347/0965506 > > www.mpstyle.it > > > -- ------------ Giulio Speri Full Stack Web Developer *Mp Styl**e Srl* via Antonio Meucci, 37 41019 Limidi di Soliera (MO) T 059/684916 M 347/0965506 www.mpstyle.it
