Thank you Giulio, Anahita. In my opinion what Giulio reported can be considered a bug that I'd like to backport to the release24.09 branch, in preparation for the new release. Anahita, would you mind creating two pull requests for the release24.09 branch?
Jacopo On Mon, Mar 30, 2026 at 9:34 AM Giulio Speri - MpStyle Srl < [email protected]> wrote: > Good morning Anahita, > > your two PRs have been merged into trunk. > > Thanks and have a good day ahead, > > Giulio > > Il giorno ven 27 mar 2026 alle ore 15:55 Anahita Goljahani < > [email protected]> ha scritto: > > > Hi Giulio, > > > > thanks! > > > > Anahita > > > > Il giorno ven 27 mar 2026 alle ore 11:29 Giulio Speri - MpStyle Srl > > <[email protected]> ha scritto: > > > > > > Hi Anahita, > > > > > > I reviewed the PRs and I can confirm that those modifications are what > I > > > had also in mind and that would fix the CORS handling by that filter. > > > > > > Il giorno ven 27 mar 2026 alle ore 09:19 Giulio Speri - MpStyle Srl < > > > [email protected]> ha scritto: > > > > > > > Good morning Anahita, > > > > > > > > thank you for submitting the PRs. > > > > When I first looked at the code of that filter I was thinking exactly > > at > > > > the same modification you probably did. I'll review them as soon as > > > > possible and I'll give you feedback. > > > > > > > > Thanks! :) > > > > Giulio > > > > > > > > Il giorno gio 26 mar 2026 alle ore 20:44 Anahita Goljahani < > > > > [email protected]> ha scritto: > > > > > > > >> Hi Giulio 🙂, > > > >> > > > >> I have checked the code and I think you are absolutely right. > > > >> > > > >> I have submitted two pull requests > > > >> > > > >> - #1034 for framework ( > > > >> https://github.com/apache/ofbiz-framework/pull/1034) > > > >> - #170 for plugins ( > https://github.com/apache/ofbiz-plugins/pull/170) > > > >> > > > >> that should address the issue by > > > >> > > > >> - introducing the new property cors.origins.allowed in > > > >> security.properties, so that the list of allowed origins can be > > > >> specified (framework); > > > >> - adding the new method getCorsOriginsAllowed() to UtilMisc to > > > >> retrieve the list of allowed origins from cors.origins.allowed > > > >> (framework); > > > >> - modifying the APICorsFilter class to correctly compare the Origin > > > >> header of the request with the list of allowed origins and to > populate > > > >> the Access-Control-Allow-Origin response header based on the > matching > > > >> result (plugins). > > > >> > > > >> Could you please check whether this fixes work in your case? > > > >> > > > >> Thank you > > > >> > > > >> Anahita > > > >> > > > >> Il giorno lun 23 mar 2026 alle ore 10:19 Giulio Speri - MpStyle Srl > > > >> <[email protected]> ha scritto: > > > >> > > > > >> > Good morning devs, > > > >> > > > > >> > I hope you are doing well. > > > >> > I would like to have your opinion about the *APICorsFilter* in the > > > >> > *rest-api* plugin. > > > >> > > > > >> > We are using that plugin in a custom version of OFBiz and we have > > had a > > > >> > little confusion due to a CORS error which prevented the correct > > calls > > > >> of > > > >> > the services coming from the UI. > > > >> > Specifically from the Network tab of the browser we saw that the > > > >> response > > > >> > header "Access-Control-Allow-Origin" never matched the "Origin" > > header. > > > >> > > > > >> > After a bit of research we noticed that the APICorsFilter class > set > > > >> > the Access-Control-Allow-Origin searching a match among the values > > of > > > >> the > > > >> > "host-headers-allowed" in security.property. > > > >> > Is not completely clear to us why is that, since that property > > should > > > >> > contain only domain names not full origins. > > > >> > > > > >> > So my question is: are there any specific reasons to read both, > > allowed > > > >> > domains and full origins, from that property? > > > >> > Wouldn't it be better to have a specific new property for the cors > > > >> origin > > > >> > allowed only? > > > >> > > > > >> > Thanks in advance for sharing your thoughts on this. > > > >> > > > > >> > Giulio > > > >> > > > > >> > > > > >> > -- > > > >> > ------------ > > > >> > Giulio Speri > > > >> > Full Stack Web Developer > > > >> > > > > >> > > > > >> > > > > >> > *Mp Styl**e Srl* > > > >> > via Antonio Meucci, 37 > > > >> > 41019 Limidi di Soliera (MO) > > > >> > T 059/684916 > > > >> > M 347/0965506 > > > >> > > > > >> > www.mpstyle.it > > > >> > > > > > > > > > > > > -- > > > > ------------ > > > > Giulio Speri > > > > Full Stack Web Developer > > > > > > > > > > > > > > > > *Mp Styl**e Srl* > > > > via Antonio Meucci, 37 > > > > 41019 Limidi di Soliera (MO) > > > > T 059/684916 > > > > M 347/0965506 > > > > > > > > www.mpstyle.it > > > > > > > > > > > > > > > > > > -- > > > ------------ > > > Giulio Speri > > > Full Stack Web Developer > > > > > > > > > > > > *Mp Styl**e Srl* > > > via Antonio Meucci, 37 > > > 41019 Limidi di Soliera (MO) > > > T 059/684916 > > > M 347/0965506 > > > > > > www.mpstyle.it > > > > > -- > ------------ > Giulio Speri > Full Stack Web Developer > > > > *Mp Styl**e Srl* > via Antonio Meucci, 37 > 41019 Limidi di Soliera (MO) > T 059/684916 > M 347/0965506 > > www.mpstyle.it >
