Access-control-allow-origin CORS Header not honoring System setting Configuration


  • When configuring CORS headers in System Settings we are seeing that access-control-allow-origin header doesn't always have the configured value.


  • Liferay DXP 7.4


  • According to the specification, if the request is valid for cors and it has a "Origin" header, this value will be set as access-control-allow-origin in response headers instead of the value set in the configuration.

This is what the specification states:

Limiting the possible Access-Control-Allow-Origin values to a set of allowed origins requires code on the server side to check the value of the Origin request header, compare that to a list of allowed origins, and then if the Origin value is in the list, set the Access-Control-Allow-Origin value to the same value as the Origin value.


Additional Information



Was this article helpful?
1 out of 1 found this helpful