I just spent hours trying to figure out why my cors configuration wasn't working. It turns out that it was. The problem was how I was testing it. There's an optimization https://github.com/spring-projects/spring-framework/blob/4e6532f63994b0c03f15be0bcfb08b9eb978924b/spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java#L43 on whether to output the headers that requires you to set the origin header. That's fair, but could you add some kind of log statement along this path that they they are being skipped? I don't care if it's debug or trace logging (although I think I prefer debug since I only put trace on spring security). I feel like stepping through this with a debugger isn't something I should have to do.
Comment From: sdeleuze
Hi, I understand CORS can be tricky, but for the use case mentioned, I am not in favor of adding such additional logging. The CORS specification is crystal clear on the fact that "A CORS request is an HTTP request that includes an Origin header.", so this behavior should not be surprising or specific to Spring implementation, unlike for example the use case where the response already has a Access-Control-Allow-Origin header. As a consequence, I decline this proposal.