Issue
- When configuring CORS headers in System Settings we are seeing that access-control-allow-origin header doesn't always have the configured value.
Environment
- Liferay DXP 7.4
Resolution
- According to the specification, if the request is valid for cors and it has a "Origin" header, this value will be set as access-control-allow-origin in response headers instead of the value set in the configuration.
This is what the specification states:
Limiting the possibleAccess-Control-Allow-Origin
values to a set of allowed origins requires code on the server side to check the value of the Origin
request header, compare that to a list of allowed origins, and then if the Origin
value is in the list, set the Access-Control-Allow-Origin
value to the same value as the Origin
value.
Additional Information
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In