[
https://issues.apache.org/jira/browse/OFBIZ-13377?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacopo Cappellato closed OFBIZ-13377.
-------------------------------------
Resolution: Fixed
> Incorrect management of CORS origins in the rest-api plugin
> -----------------------------------------------------------
>
> Key: OFBIZ-13377
> URL: https://issues.apache.org/jira/browse/OFBIZ-13377
> Project: OFBiz
> Issue Type: Bug
> Components: rest-api
> Affects Versions: 24.09.05
> Reporter: Anahita Goljahani
> Assignee: Anahita Goljahani
> Priority: Major
> Fix For: 24.09.06
>
>
> As raised by [~Giulio_MpStyle] [~gsperi] on the dev-list on March 23, 2026
> (subject: "rest-api plugin and CORS filter"), CORS origins are incorrectly
> managed in the rest-api plugin.
> Specifically, as reported by Giulio:
> 'APICorsFilter class set the Access-Control-Allow-Origin searching a match
> among the values of the "host-headers-allowed" in security.property.'
> However, these values are not valid origins.
> The issue has been solved through the following two PRs:
> * #1034 for framework
> ([https://github.com/apache/ofbiz-framework/pull/1034])
> * #170 for plugins ([https://github.com/apache/ofbiz-plugins/pull/170])
> These PRs:
> * introduce the new property, cors.origins.allowed, in security.properties,
> allowing the specification of permitted origins (framework);
> * add a new method, getCorsOriginsAllowed(), to UtilMisc to retrieve the
> list of allowed origins from cors.origins.allowed (framework);
> * modify the APICorsFilter class to correctly compare the Origin header of
> the request with the list of allowed origins and to populate the
> Access-Control-Allow-Origin response header based on the matching result
> (plugins).
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
