Hi Jacopo, I have created a jira ticket for this issue: OFBizOFBIZ-13377 (https://issues.apache.org/jira/browse/OFBIZ-13377).
I’ve also submitted two PRs to backport the changes to release 24.09, including a reference to the ticket. Anahita Il giorno lun 30 mar 2026 alle ore 10:02 Jacopo Cappellato <[email protected]> ha scritto: > > Thank you Giulio, Anahita. > > In my opinion what Giulio reported can be considered a bug that I'd like to > backport to the release24.09 branch, in preparation for the new release. > Anahita, would you mind creating two pull requests for the release24.09 > branch? > > Jacopo > > > On Mon, Mar 30, 2026 at 9:34 AM Giulio Speri - MpStyle Srl < > [email protected]> wrote: > > > Good morning Anahita, > > > > your two PRs have been merged into trunk. > > > > Thanks and have a good day ahead, > > > > Giulio > > > > Il giorno ven 27 mar 2026 alle ore 15:55 Anahita Goljahani < > > [email protected]> ha scritto: > > > > > Hi Giulio, > > > > > > thanks! > > > > > > Anahita > > > > > > Il giorno ven 27 mar 2026 alle ore 11:29 Giulio Speri - MpStyle Srl > > > <[email protected]> ha scritto: > > > > > > > > Hi Anahita, > > > > > > > > I reviewed the PRs and I can confirm that those modifications are what > > I > > > > had also in mind and that would fix the CORS handling by that filter. > > > > > > > > Il giorno ven 27 mar 2026 alle ore 09:19 Giulio Speri - MpStyle Srl < > > > > [email protected]> ha scritto: > > > > > > > > > Good morning Anahita, > > > > > > > > > > thank you for submitting the PRs. > > > > > When I first looked at the code of that filter I was thinking exactly > > > at > > > > > the same modification you probably did. I'll review them as soon as > > > > > possible and I'll give you feedback. > > > > > > > > > > Thanks! :) > > > > > Giulio > > > > > > > > > > Il giorno gio 26 mar 2026 alle ore 20:44 Anahita Goljahani < > > > > > [email protected]> ha scritto: > > > > > > > > > >> Hi Giulio 🙂, > > > > >> > > > > >> I have checked the code and I think you are absolutely right. > > > > >> > > > > >> I have submitted two pull requests > > > > >> > > > > >> - #1034 for framework ( > > > > >> https://github.com/apache/ofbiz-framework/pull/1034) > > > > >> - #170 for plugins ( > > https://github.com/apache/ofbiz-plugins/pull/170) > > > > >> > > > > >> that should address the issue by > > > > >> > > > > >> - introducing the new property cors.origins.allowed in > > > > >> security.properties, so that the list of allowed origins can be > > > > >> specified (framework); > > > > >> - adding the new method getCorsOriginsAllowed() to UtilMisc to > > > > >> retrieve the list of allowed origins from cors.origins.allowed > > > > >> (framework); > > > > >> - modifying the APICorsFilter class to correctly compare the Origin > > > > >> header of the request with the list of allowed origins and to > > populate > > > > >> the Access-Control-Allow-Origin response header based on the > > matching > > > > >> result (plugins). > > > > >> > > > > >> Could you please check whether this fixes work in your case? > > > > >> > > > > >> Thank you > > > > >> > > > > >> Anahita > > > > >> > > > > >> Il giorno lun 23 mar 2026 alle ore 10:19 Giulio Speri - MpStyle Srl > > > > >> <[email protected]> ha scritto: > > > > >> > > > > > >> > Good morning devs, > > > > >> > > > > > >> > I hope you are doing well. > > > > >> > I would like to have your opinion about the *APICorsFilter* in the > > > > >> > *rest-api* plugin. > > > > >> > > > > > >> > We are using that plugin in a custom version of OFBiz and we have > > > had a > > > > >> > little confusion due to a CORS error which prevented the correct > > > calls > > > > >> of > > > > >> > the services coming from the UI. > > > > >> > Specifically from the Network tab of the browser we saw that the > > > > >> response > > > > >> > header "Access-Control-Allow-Origin" never matched the "Origin" > > > header. > > > > >> > > > > > >> > After a bit of research we noticed that the APICorsFilter class > > set > > > > >> > the Access-Control-Allow-Origin searching a match among the values > > > of > > > > >> the > > > > >> > "host-headers-allowed" in security.property. > > > > >> > Is not completely clear to us why is that, since that property > > > should > > > > >> > contain only domain names not full origins. > > > > >> > > > > > >> > So my question is: are there any specific reasons to read both, > > > allowed > > > > >> > domains and full origins, from that property? > > > > >> > Wouldn't it be better to have a specific new property for the cors > > > > >> origin > > > > >> > allowed only? > > > > >> > > > > > >> > Thanks in advance for sharing your thoughts on this. > > > > >> > > > > > >> > Giulio > > > > >> > > > > > >> > > > > > >> > -- > > > > >> > ------------ > > > > >> > Giulio Speri > > > > >> > Full Stack Web Developer > > > > >> > > > > > >> > > > > > >> > > > > > >> > *Mp Styl**e Srl* > > > > >> > via Antonio Meucci, 37 > > > > >> > 41019 Limidi di Soliera (MO) > > > > >> > T 059/684916 > > > > >> > M 347/0965506 > > > > >> > > > > > >> > www.mpstyle.it > > > > >> > > > > > > > > > > > > > > > -- > > > > > ------------ > > > > > Giulio Speri > > > > > Full Stack Web Developer > > > > > > > > > > > > > > > > > > > > *Mp Styl**e Srl* > > > > > via Antonio Meucci, 37 > > > > > 41019 Limidi di Soliera (MO) > > > > > T 059/684916 > > > > > M 347/0965506 > > > > > > > > > > www.mpstyle.it > > > > > > > > > > > > > > > > > > > > > > > -- > > > > ------------ > > > > Giulio Speri > > > > Full Stack Web Developer > > > > > > > > > > > > > > > > *Mp Styl**e Srl* > > > > via Antonio Meucci, 37 > > > > 41019 Limidi di Soliera (MO) > > > > T 059/684916 > > > > M 347/0965506 > > > > > > > > www.mpstyle.it > > > > > > > > > -- > > ------------ > > Giulio Speri > > Full Stack Web Developer > > > > > > > > *Mp Styl**e Srl* > > via Antonio Meucci, 37 > > 41019 Limidi di Soliera (MO) > > T 059/684916 > > M 347/0965506 > > > > www.mpstyle.it > >
