Cross-Origin 资源共享
Cross-origin resource sharing (CORS) is an HTTP-header-based mechanism that allows a server to indicate any origins other than its own, from which a browser should permit loading resources.
These origins consist of a single domain, scheme, and port. For the complete origin definition, see the Web Origin Concept page.
CORS filter
Quarkus provides a CORS filter, which implements the jakarta.servlet.Filter
interface and intercepts all incoming HTTP requests.
It can be enabled in the Quarkus configuration file, src/main/resources/application.properties
:
quarkus.http.cors=true
When the filter is enabled and identifies an HTTP request as cross-origin, it will enforce the CORS policy. It will also add headers configured with the following properties before forwarding the request to its intended destination, like a servlet, Jakarta REST resource, or other endpoints.
Configuration property fixed at build time - All other configuration properties are overridable at runtime
Configuration property |
类型 |
默认 |
---|---|---|
Origins allowed for CORS Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000 In case an entry of the list is surrounded by forward slashes, it is interpreted as a regular expression. Environment variable: Show more |
list of string |
|
HTTP methods allowed for CORS Comma separated list of valid methods. ex: GET,PUT,POST The filter allows any method if this is not set. default: returns any requested method as valid Environment variable: Show more |
list of string |
|
HTTP headers allowed for CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition The filter allows any header if this is not set. default: returns any requested header as valid Environment variable: Show more |
list of string |
|
HTTP headers exposed in CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition default: empty Environment variable: Show more |
list of string |
|
The Environment variable: Show more |
||
The Environment variable: Show more |
boolean |
About the Duration format
To write duration values, use the standard You can also use a simplified format, starting with a number:
In other cases, the simplified format is translated to the
|
-
An example of a full CORS filter configuration that includes a regular expression defining an allowed origin
quarkus.http.cors=true quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/ quarkus.http.cors.methods=GET,PUT,POST quarkus.http.cors.headers=X-Custom quarkus.http.cors.exposed-headers=Content-Disposition quarkus.http.cors.access-control-max-age=24H quarkus.http.cors.access-control-allow-credentials=true
/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/
is treated as a regular expression because forward slash characters surround it.
If you use regular expressions in an |
Support all origins in dev mode
Configuring required origins when developing a Quarkus application requiring CORS support can be difficult. In such cases, consider allowing all origins in dev mode only in order to focus on the actual development first:
quarkus.http.cors=true
%dev.quarkus.http.cors.origins=/.*/
Enable all origins exclusively for the dev profile. It is not advisable to permit all origins in a production environment, as it can lead to significant security risks. |