1

My API server is running in spring boot application on port 8090 and front end application running in Angular 6. All is working fine until I have single IP in Access-Control-Allow-Origin header.

Now APIs is used by 2 different font end application running on a different port(80 and 7000). I added both IPs in Access-Control-Allow-Origin header and it is not working

As per this we can have multiple cors origins with comma separated

Details: 

Request:

Accept: /
Accept-Encoding: gzip, deflate
Accept-Language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type,x-auth
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
Host: 192.168.1.10:8090
Origin: http://192.168.1.10:7000
Pragma: no-cache
Referer: http://192.168.1.10:7000/user/dashboard

Response:

Access-Control-Allow-Headers: X-Auth,Origin,X-Requested-With,Content-Type,Accept,X-Forwarded-For
Access-Control-Allow-Methods: GET,POST,OPTIONS,PUT,DELETE
Access-Control-Allow-Origin: http://192.168.1.10,http://192.168.1.10:7000
Access-Control-Expose-Headers: X-Auth
Content-Length: 0
Date: Fri, 01 Feb 2019 05:54:29 GMT

Error: 

Access to XMLHttpRequest at 'http://192.168.1.10:8090/api/patient/logout' from origin 'http://192.168.1.10:7000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'http://192.168.1.10,http://192.168.1.10:7000', but only one is allowed.
Nitin
  • 1,882
  • 1
  • 14
  • 42
  • 2
    `Access-Control-Allow-Origin: http://192.168.1.10,http://192.168.1.10:7000` is invalid syntax. If you want to allow multiple origins, then instead of hardcoding the origin values in the header, you need to have your server code programatically/dynamically set the value of the header to a single origin. That code needs to check the value of the Origin request header, and if the value of that Origin request in the list of origins you want to allow, then set the Access-Control-Allow-Origin response header to that same value. – sideshowbarker Feb 01 '19 at 07:22

2 Answers2

3

In most of the cases this is work but when you hava request filter in your application you need to write code for that:

    String origin = request.getHeader("Origin");
    if (StringUtils.isNoneBlank(origin)) {
        if (applicationSettings.getAllowedOrigins().contains("*") || applicationSettings.getAllowedOrigins().contains(origin)) {
            response.setHeader("Access-Control-Allow-Origin", origin);
        }
    } else {
        response.setHeader("Access-Control-Allow-Origin", "*");
    }
Sunil Kanzar
  • 1,129
  • 1
  • 8
  • 20
1

Below should work to allow multiple origins at spring boot side:

@Configuration
public class CorsConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("http://192.168.1.10:8090","http://192.168.1.10:7000");
    }
}
kj007
  • 5,072
  • 3
  • 22
  • 42