Skip to content


Luc Everse requested to merge cors into development


Adds CORS support to the core.

CORS is a security feature enforced by the browser. Now the UI could potentially be served from a different origin, browsers may block API calls to the core. This MR introduces ways to whitelist such origins.


  • The global settings are actually global now and are loaded statically before the server boots
  • The security configuration has been restructured to make more sense.


  • A CORS allowed API origins setting, which is a list of permitted origins. This has to be edited into the settings.json file, however; the settings UI breaks this but I'd rather clean all the bathrooms in the library with my tongue than fix the old settings UI
  • A CORS preflight patch filter, which awards a CORS-specific authorization to preflight requests only.
  • A CORS error header-patch filter, which forces headers upon valid CORS requests where Spring didn't add any

Test and Review

To be filled in by the reviewers

  • All of the methods are commented to expectation

  • The methods are tested to satisfaction

  • There are no unnecessary files present in the MR

  • The continuous integration has no problems with the MR

  • The MR is filled in as requested (including labels, milestones, and reviewers)

  • The documentation is up-to-date

  • All nullable parameters are marked as such

Edited by Erik Oudsen

Merge request reports