- When configuring CORS headers in System Settings we are seeing that access-control-allow-origin header doesn't always have the configured value.
- Liferay DXP 7.4
- According to the specification, if the request is valid for cors and it has a "Origin" header, this value will be set as access-control-allow-origin in response headers instead of the value set in the configuration.
This is what the specification states:Limiting the possible
Access-Control-Allow-Origin values to a set of allowed origins requires code on the server side to check the value of the
Origin request header, compare that to a list of allowed origins, and then if the
Origin value is in the list, set the
Access-Control-Allow-Origin value to the same value as the
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.Sign In