CORS Preflight responses missing Access-Control-Request-Headers

[YunaBraska]

Describe the bug

I am unable to find the right setting to automatically set the Access-Control-Request-Headers in the Preflight/Options response. I tried using the setting quarkus.http.cors.headers by yaml config but that doesn't produce any header response on the OPTIONS endpoints (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#preflighted_requests_in_cors).
Wildcards aren't valid anymore.

Expected behavior

Quarkus generates all valid headers Access-Control-Request-Headers e.g. from the config quarkus.http.cors.headers and outputs this to the OPTION response.
Example

OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.example
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type

Actual behavior

Access-Control-Request-Headers are missing

my request:

OPTIONS /users/login HTTP/1.1
Host: localhost:8081
User-Agent: insomnia/2021.2.2
Content-Type: application/json
Access-Control-Request-Headers: content-type
Accept: */*
Content-Length: 0

my current response

HTTP/1.1 200 OK
Content-Length: 24
Access-Control-Allow-Origin: *
Allow: HEAD, POST, GET, OPTIONS
Content-Type: text/plain;charset=UTF-8

Fronend/Browser blocks the request ccess to XMLHttpRequest at 'http://localhost:8081/users/login' from origin 'http://localhost:8080' has been blocked by CORS policy

My config:

quarkus:
  http:
    access-log:
      enabled: true
    cors:
      ~: true
      origins: "*"
      methods: "POST, GET, PUT, OPTIONS, DELETE"
      headers: "accept, origin, authorization, content-type, Content-Type, x-requested-with, access-control-request-headers"
      exposed-headers: "accept, origin, authorization, content-type, Content-Type, x-requested-with, access-control-request-headers"

To Reproduce

### Screenshots
(If applicable, add screenshots to help explain your problem.)

## Environment (please complete the following information):

### Output of `uname -a` or `ver`

### Output of `java -version`

### GraalVM version (if different from Java)

### Quarkus version or git rev

### Build tool (ie. output of `mvnw --version` or `gradlew --version`)

## Additional context
(Add any other context about the problem here.)

[sberyozkin]

@YunaBraska, it looks like it is a formatting issue.
The code which deals with this header is here. So it takes headers and then adds the request header which is contained in those headers to Access-Control-Request-Headers

So it should certainly return Content-Type.
Can you please try plain text application.properties format just to eliminate the formatting issue ?

[YunaBraska]

Properties looks like the same...

My config

quarkus.http.access-log.enabled=true
quarkus.http.cors=true
quarkus.http.cors.origins=*
quarkus.http.cors.methods=POST, GET, PUT, OPTIONS, DELETE
quarkus.http.cors.headers=Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With

Browser Request:

Request URL: http://localhost:8081/users/login
Request Method: OPTIONS
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,de;q=0.8,en-US;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:8081
Origin: http://localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36

Quarkus response:

HTTP/1.1 200 OK
Content-Length: 24
Access-Control-Allow-Origin: *
Allow: HEAD, POST, GET, OPTIONS
Content-Type: text/plain;charset=UTF-8

Browser error:
Access to XMLHttpRequest at 'http://localhost:8081/users/login' from origin 'http://localhost:8080' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

[sberyozkin]

@YunaBraska Can you remove between the values ? The code does not trim at the moment (will have to be fixed)

[YunaBraska]

Hm it doesn't work either, its totally ignoring my CORS config.... My current workaround is to create a @Provider like this CorsOverwriteHeaders implements ContainerResponseFilter and put the config hardcoded in there :(

[MarkusKramer]

I'm seeing the same issue. However, the issue only seems to occur when compiling to a native image. When running in dev mode (JRE based) CORS is working fine.
I'm also using a custom CORS filter a workaround now.

[giacomobartoli]

@MarkusKramer experiencing the same issue. Did you find a solution or workaround?
Currently it works fine on localhost, but the error appears when deployed to open shift.
Using Quarkus 1.6.0.

[YunaBraska]

@MarkusKramer experiencing the same issue. Did you find a solution or workaround?

Currently it works fine on localhost, but the error appears when deployed to open shift.

Using Quarkus 1.6.0.

For me it works fine until the native image

[MarkusKramer]

I'm using this as workaround (writting in Kotlin):

import javax.ws.rs.container.ContainerResponseContext
import javax.ws.rs.container.ContainerResponseFilter
import javax.ws.rs.ext.Provider

@Provider
class CorsFilter : ContainerResponseFilter {

    override fun filter(requestContext: ContainerRequestContext, responseContext: ContainerResponseContext) {
        responseContext.headers.add("Access-Control-Allow-Origin", "*")
        responseContext.headers.add("Access-Control-Allow-Headers", "*")
        responseContext.headers.add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD")
    }

}

It works in dev mode and native image, from locahost and from remote hosts.

[MarkusKramer]

Just wanted to confirm that I'm still seeing this issue with quarkus 2.5.0.Final. The browser requests "Access-Control-Request-Headers: content-type,x-build", quarkus responds with "access-control-allow-headers: content-type" only, despite having set "quarkus.http.cors=true" in the application config.

[AliLozano]

Just wanted to confirm that I'm still seeing this issue with quarkus 2.5.0.Final. The browser requests "Access-Control-Request-Headers: content-type,x-build", quarkus responds with "access-control-allow-headers: content-type" only, despite having set "quarkus.http.cors=true" in the application config.

Just happened to me, I tested it in dev and quarkus returns x-build in the allow headers, but when I run it with docker it only returns content-type (Tested in 2.12.1.Final)

[geoand]

@sberyozkin what should be done with this issue?

[sberyozkin]

Will be looking at this issue next week

[sberyozkin]

HI All,

I've opened a PR confirming Quarkus correctly manages this CORS header, #29682
This PR will close this issue once approved/merged.
Please re-open the issue if the problem persists - but only with the reproducer :-)
Thanks