Anahita Goljahani created OFBIZ-13377:
-----------------------------------------
Summary: Incorrect management of CORS origins in the rest-api
plugin
Key: OFBIZ-13377
URL: https://issues.apache.org/jira/browse/OFBIZ-13377
Project: OFBiz
Issue Type: Bug
Components: rest-api
Affects Versions: 24.09.05
Reporter: Anahita Goljahani
Assignee: Anahita Goljahani
Fix For: 24.09.06
As raised by [~Giulio_MpStyle] [~gsperi] on the dev-list on March 23, 2026
(subject: "rest-api plugin and CORS filter"), CORS origins are incorrectly
managed in the rest-api plugin.
Specifically, as reported by Giulio:
'APICorsFilter class set the Access-Control-Allow-Origin searching a match
among the values of the "host-headers-allowed" in security.property.'
However, these values are not valid origins.
The issue has been solved through the following two PRs:
* #1034 for framework ([https://github.com/apache/ofbiz-framework/pull/1034])
* #170 for plugins ([https://github.com/apache/ofbiz-plugins/pull/170])
These PRs:
* introduce the new property, cors.origins.allowed, in security.properties,
allowing the specification of permitted origins (framework);
* add a new method, getCorsOriginsAllowed(), to UtilMisc to retrieve the list
of allowed origins from cors.origins.allowed (framework);
* modify the APICorsFilter class to correctly compare the Origin header of the
request with the list of allowed origins and to populate the
Access-Control-Allow-Origin response header based on the matching result
(plugins).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
