java - CORS allowed-origin restrictions aren’t causing the server to reject requests

Question

I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.

My application.properties file has the following line (ref1 ref2).

endpoints.cors.allowed-origins=http://mydomain.io

My REST controller looks like the following.

@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
  @Autowired
  private CarService carService;

  @GetMapping
  public Car get() {
    return carService.getLatest();
  }
}

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

I also tried to change my annotation as follows, but that does not work.

@CrossOrigin("${endpoints.cors.allowed-origins}")

Any ideas on what I'm doing wrong?

Note that I am not using WebMvcConfigurerAdapter like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).

Answer 1

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

CORS allowed-origins settings don’t cause servers to block requests.

And because the server isn’t blocking the request, that doesn’t prevent you from opening the URL directly in a browser.

The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to frontend JavaScript in web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…) or whatever to make cross-origin requests.

So CORS isn’t a way to cause servers to block requests. And so it also isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent any non-web-application tools like curl or Postman or whatever from accessing the URL.