Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-16262

spring-web CORS requires X-Forwarded-Port


    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.3.12
    • Fix Version/s: 4.3.14, 5.0.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:


      I am running a spring-boot app within Google AppEngine behind an IAP proxy which terminates https connections. The proxy sets X-Forwarded-Proto=https on requests, but does not set X-Forwarded-Port. The result is that the spring-web CORS filter rejects requests with "not same origin" even though the origin actually is the same.

      This is made worse by the fact that the Chrome browser sends the "origin" header on many different request types, including all POST requests and all resources referenced from a css-file (eg fonts) - ie on requests which are NOT cross-origin.

      While it may be argued that Google should add a header, this is a problem that may hit many users. It is also really really nasty to actually figure out the real cause of the problem..

        Issue Links


          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open In Progress In Progress
          15d 22h 6m 1 Sébastien Deleuze 20/Dec/17 2:19 PM
          In Progress In Progress Resolved Resolved
          19d 23h 51m 1 Sébastien Deleuze 09/Jan/18 2:11 PM
          Resolved Resolved Closed Closed
          13d 19h 22m 1 Stéphane Nicoll 23/Jan/18 9:33 AM


            • Assignee:
              sdeleuze Sébastien Deleuze
              simon-um simon Kitching
              Last updater:
              Stéphane Nicoll
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created:
                Days since last comment:
                10 weeks, 2 days ago