Affects: Spring Web 5.2.4.RELEASE
Initial issue opened in Spring Cloud Gateway: https://github.com/spring-cloud/spring-cloud-gateway/issues/1607
Application APIs can be called by multiple origins. For applications that represent some kind of platform within a company it often makes sense to accept all request from orings coming from company domain, basically accept all request with origin matching a pattern *.company.com. Currently default spring CorsConfiguration supports only list of origins, I think this might not be flexible enough, as it will require configuration change every time new application within a company wants to call that REST api (especially in case of an API Gateway).
Proposal: add support for CORS configuration based on a pattern matching.
One option would'be, I guess, to extend existing CorsConfiguration class with additional fields allowedOriginPatterns and modify checkOrigin to use this property.
Or have separate CorsConfiguration implementation that is using pattern matching.
While current solution is extendible and this approach can be implemented within the application itself, I think this should be a part of framework because it's a widely used functionality and is supported by other frameworks that are used for API implementation.
For example vert.x CorsHandler suipports that: https://github.com/vert-x3/vertx-web/blob/5cd7ecaa6bead1b246b5327537ee9b82c22187bc/vertx-web/src/main/java/io/vertx/ext/web/handler/CorsHandler.java#L42 Also, Kong supports pattern based origins as well.
Comment From: sdeleuze
Historically, we have built CorsConfiguration capabilities by staying pretty close to CORS specification. It currently supports plain list of origins and *. Notice that CorsConfiguration#checkOrigin is more flexible than the specification since it supports * also when allowCredentials is true.
But indeed patterns like *.company.com or regexp are not supported yet, and I tend to agree that could be a useful feature, maybe worth to consider for 5.3. We could extend * support patterns like *.company.com or support regexp.
Any thoughts @rstoyanchev?
Comment From: rstoyanchev
Yes, I think it would be useful to support that.
Comment From: korektur
@rstoyanchev can I do the change myself and open a merge request?
Comment From: rstoyanchev
@korektur yes if you submit a pull request, we'll review it.
Comment From: korektur
@rstoyanchev I have opened a pull request - https://github.com/spring-projects/spring-framework/pull/25016 Can you please review and let me know if that approach is suitable. Thanks.
Comment From: korektur
@rstoyanchev @sdeleuze can you review the merge request please? https://github.com/spring-projects/spring-framework/pull/25016 It's been open for almost a month now without any comments, unfortunatelly.
Comment From: rstoyanchev
Superseded by #25016.