-1

Config

Jooby Version: 2.13.0 Using Undertow JDK 17

My setup of CORS works as expected (with only 1 exception) with the config below:

Cors cors = new Cors().setMethods("GET", "POST", "PUT", "DELETE", "OPTIONS");
cors.allowOrigin("*");
cors.setExposedHeaders("RT");
cors.setUseCredentials(true);
decorator(new CorsHandler(cors));

The problem appears when I set a custom header on the client. Suddenly I see the message with error code 403:

Same Origin Policy disallows reading the remote resource at http://localhost:9801/test. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Help please....

Tutan
  • 11
  • 3
  • Which custom header are you setting on the request? Please include all the relevant information (but no more than that) to your question; see https://stackoverflow.com/help/how-to-ask – jub0bs Mar 18 '22 at 08:53
  • If you look at the code above you can see I am setting **RT** as a custom header. I am using it to track a session variable. Basically from my API the header **RT** is set and is sent as part of the response. I want to send this value back to the server by setting it on the response. But whenever I do, the request fails first from **OPTIONS** and then the **POST** fails as well for similar reason. – Tutan Mar 18 '22 at 16:23
  • All your code shows is that, in your CORS config, you're _exposing_ a _response_ header named `RT` to client code. Perhaps you're confusing `setExposedHeaders` with `setAllowedHeaders`... – jub0bs Mar 18 '22 at 16:24
  • I do not see the method `setAllowedHeaders`. But there is `setHeaders`. Here I added **RT** and (re-added) the default headers and it seemed to work. Do you know when to use ExposedHeaders? Thanks – Tutan Mar 18 '22 at 16:49
  • See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers – jub0bs Mar 19 '22 at 08:25

1 Answers1

0

Based on the suggestion I investigated and found that if I used the Cors.setHeader() that I was able to get my requests working as expected.

There maybe other solutions but this worked for me.

Please note that the method is not accretive, meaning that you have to add the default headers like Origin and Accept, otherwise your single header will be the only one.

Tutan
  • 11
  • 3