Remove OpenApi CORS default support #29666
Conversation
This comment has been minimized.
This comment has been minimized.
|
@maxandersen FYI, if a wildcard open api CORS access is really needed, |
sberyozkin
force-pushed
the
openapi_remove_cors_wildcard
branch
from
fe719f2 to
ef303ec
Compare
|
@stuartwdouglas Can you have a look please if you can get a chance ? This PR is consistent with #29692. It is worth trying to get it into 2.16.0.CR1 to let users check if no real side-effects are introduced, and eliminate confusing warning as mentioned by @yrodiere, and make SAST scanners happy too which don't like a wildcard hardcoded. |
|
Hi @gsmet @phillip-kruger Can you please consider reviewing it ? FYI, in 2.16.CR1, the default Vert.x HTTP CORSFilter does not enable a wildcard by default, therefore, if the application requires CORS support in 2.16 CR1, they will have to enable Vert.x HTTP CORS even if someone wants a CORS Origin wildcard. Therefore the code in OpenApiHandler which allows a wildcard CORS is effectively a dead code in 2.16 CR1 - the situation where the application itself does not need CORS but OpenAPI does is unrealistic IMHO. It is a good opportunity to clean it up for 2.16.Final |
|
@sberyozkin could you please add a note to the 2.17 migration guide? Also please do not advise to use |
|
@gsmet Sorry, I missed your comment, we already updated the docs and earlier migration guide related to I just updated the 3.0 guide: Thanks |
Fixes #28397
Users should set CORS Filter properties themselves (example,
quarkus.http.cors.enabled=trueandquarkus.http.cors.origins=*orquarkus.http.cors.origins=http://localhost:8080,http://quarkus.io, etc) if they want to access an OpenApi endpoint which requires CORS protection.Migration note will follow