Hi Giulio 🙂, I have checked the code and I think you are absolutely right.
I have submitted two pull requests - #1034 for framework (https://github.com/apache/ofbiz-framework/pull/1034) - #170 for plugins (https://github.com/apache/ofbiz-plugins/pull/170) that should address the issue by - introducing the new property cors.origins.allowed in security.properties, so that the list of allowed origins can be specified (framework); - adding the new method getCorsOriginsAllowed() to UtilMisc to retrieve the list of allowed origins from cors.origins.allowed (framework); - modifying the APICorsFilter class to correctly compare the Origin header of the request with the list of allowed origins and to populate the Access-Control-Allow-Origin response header based on the matching result (plugins). Could you please check whether this fixes work in your case? Thank you Anahita Il giorno lun 23 mar 2026 alle ore 10:19 Giulio Speri - MpStyle Srl <[email protected]> ha scritto: > > Good morning devs, > > I hope you are doing well. > I would like to have your opinion about the *APICorsFilter* in the > *rest-api* plugin. > > We are using that plugin in a custom version of OFBiz and we have had a > little confusion due to a CORS error which prevented the correct calls of > the services coming from the UI. > Specifically from the Network tab of the browser we saw that the response > header "Access-Control-Allow-Origin" never matched the "Origin" header. > > After a bit of research we noticed that the APICorsFilter class set > the Access-Control-Allow-Origin searching a match among the values of the > "host-headers-allowed" in security.property. > Is not completely clear to us why is that, since that property should > contain only domain names not full origins. > > So my question is: are there any specific reasons to read both, allowed > domains and full origins, from that property? > Wouldn't it be better to have a specific new property for the cors origin > allowed only? > > Thanks in advance for sharing your thoughts on this. > > Giulio > > > -- > ------------ > Giulio Speri > Full Stack Web Developer > > > > *Mp Styl**e Srl* > via Antonio Meucci, 37 > 41019 Limidi di Soliera (MO) > T 059/684916 > M 347/0965506 > > www.mpstyle.it
