Configured Access-Control-Allow-Origin not respected

[tuler]

The documentation says that "you can override the default values used for the headers by supplying a headers map", included Access-Control-Allow-Origin, as the example suggest.

But this particular header is not respected, and the Origin header is always echoed back [1], because the code removes the configured header from the map [2].

[1] https://github.com/davidtinker/grails-cors/blob/master/src/java/com/brandseye/cors/CorsFilter.java#L110

[2] https://github.com/davidtinker/grails-cors/blob/master/src/java/com/brandseye/cors/CorsFilter.java#L63

I need to respond '*' as Access-Control-Allow-Origin.

[davidtinker]

Hmm. Does echoing back the Origin header not work for your use-case?

[tuler]

No, because the result (including the headers) is cached by a CDN. This result is sometimes accessed by http://www.mydomain.com and sometimes by http://mydomain.com

[davidtinker]

Aha. I see you have forked the repo. Are you working on a fix?

[tuler]

I wrote a fix, but was not satisfied with the elegance of my code, so I deleted it :-)

I guess your desired default behavior is to echo back the origin and also accept any origin, right?

[davidtinker]

The original plugin behaviour was to just send back '*' but someone suggested (and created a PR) that it would be more correct according to their reading of the spec to echo back the "Origin" header. Its probably best just to make the plugin behave according to the README:

cors.headers = ['Access-Control-Allow-Origin': '*']

I don't think this is likely to break anyones stuff.

[tuler]

According to the README, which my issue is based on, I think that if the user defined the Access-Control-Allow-Origin header it should be respected.

But what happens if the user didn't configure anything?

[davidtinker]

Not configuring anything should echo back 'Origin' as it does now.