CORS Feature in 8.1.1

[PhilippS93]

Describe the bug
The CORS feature seems not to work, even when specifying wildcard operator. Seems like org/springframework/web/cors/CorsConfiguration.java is calling getAllowedOrigins() before the value is initialized by setAllowedOrigins().

Expected behavior
CORS settings are are applied

[oliemansm]

@PhilippS93 So you've configured it like this?

graphql.servlet.cors.allowed-origins: "*"

[PhilippS93]

Exactly, I tried (.yml file):

graphql:
  servlet:
    cors:
      allowed-origins:
        - "*"
        - "http://mydomain.com"
        - "http://mydomain.com:8080"
        - "^(http?://(?:.+\.)?mydomain\.com(?::\d{1,5})?)$."

This should have covered everything.

Best,
Philipp

[oliemansm]

And this exact same configuration does work with version 8.0.0?

[PhilippS93]

On 8.0.0, no configuration was needed. Because of the change in 8.1.0 (CORS), this configuration seems to be mandatory. But it is not working either in 8.1.0 nor 8.1.1.

[oliemansm]

Found the problem which will be fixed in next version. That'll contain an upgrade to graphql-java 16.1 too.

Could you set the allowed headers in the meantime?

graphql.servlet.cors.allowed-headers: GET, HEAD, POST

[PhilippS93]

I added

      allowed-headers:
        - "GET"
        - "HEAD"
        - "POST"

and also

      allowed-origins:
        - "*"

but I am still getting Invalid CORS request in my response request (403).

[oliemansm]

Sorry my mistake. You should add allowed-methods instead of headers.

[PhilippS93]

Thanks, that solved it.

[moose-byte]

I ran into this same problem and adding allowed-methods solved it for me! I created a PR to update the README and add that to the GraphQL Servlet section

#530

[remo87]

I have this config and still it doesn't work
graphql:
servlet:
exception-handlers-enabled: true
cors:
allowed-origins:
- "*"
allowed-methods:
- "GET"
- "HEAD"
- "POST"

[hilbertglm]

@remo87, I am having problems with this as well, but you might want to try the comma-separated list for allowed methods instead of the YAML array notation.

[VladReutCoqniteq]

i'm having same issue with @remo87 and @hilbertglm.
find two solution works for me
1. application.yml
graphql:
servlet:
exception-handlers-enabled: true
cors:
allowed-origins: ""
allowed-methods: ""
allowed-headers: ""
2. bean Filter
@configuration
public class Filter {
@bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("");
config.addAllowedHeader("");
config.addAllowedMethod("");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
}