Cross-origin resource sharing

跨源资源共享 (CORS) 是一种基于 HTTP 标头的机制,允许服务器指示除其自身之外的任何来源,浏览器应允许从中加载资源。

Cross-origin resource sharing (CORS) is an HTTP-header-based mechanism that allows a server to indicate any origins other than its own, from which a browser should permit loading resources.

这些来源由单个域名、方案和端口组成。有关完整的来源定义,请参见 Web Origin Concept 页面。

These origins consist of a single domain, scheme, and port. For the complete origin definition, see the Web Origin Concept page.

CORS filter

Quarkus 提供了一个 CORS 过滤器,它实现了 jakarta.servlet.Filter 接口并拦截所有传入的 HTTP 请求。可以在 Quarkus 配置文件 src/main/resources/application.properties 中启用它:

Quarkus provides a CORS filter, which implements the jakarta.servlet.Filter interface and intercepts all incoming HTTP requests. It can be enabled in the Quarkus configuration file, src/main/resources/application.properties:

quarkus.http.cors=true

当该过滤器被启用并识别一个 HTTP 请求为跨来源时,它将强制执行 CORS 策略。它还将在将请求转发到其预期目的地(如 servlet、Jakarta REST 资源或其他端点)之前,添加使用以下属性配置的标头。

When the filter is enabled and identifies an HTTP request as cross-origin, it will enforce the CORS policy. It will also add headers configured with the following properties before forwarding the request to its intended destination, like a servlet, Jakarta REST resource, or other endpoints.

Unresolved directive in security-cors.adoc - include::{generated-dir}/config/quarkus-vertx-http_quarkus.http.cors.adoc[]

  1. An example of a full CORS filter configuration that includes a regular expression defining an allowed origin

quarkus.http.cors=true
quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/
quarkus.http.cors.methods=GET,PUT,POST
quarkus.http.cors.headers=X-Custom
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true

/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/ 被视为正则表达式,因为它周围有正斜杠字符。

/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/ is treated as a regular expression because forward slash characters surround it.

如果你在 application.properties 文件中使用正则表达式,请确保使用四个反斜杠来表示 . 和其他正则表达式元数据字符作为普通字符,例如,\\\\. 表示 . 字符,而 \\. 表示允许任何字符的元数据字符。

If you use regular expressions in an application.properties file, make sure four backward slashes are used to represent . and other regular expression metadata characters as normal characters, for example, \\\\. represents a . character while \\. represents a metadata character allowing for any character.

Support all origins in dev mode

在开发需要 CORS 支持的 Quarkus 应用程序时,配置必需的根源可能很困难。在这种情况下,请考虑仅在开发模式中允许所有根源,以便首先专注于实际开发:

Configuring required origins when developing a Quarkus application requiring CORS support can be difficult. In such cases, consider allowing all origins in dev mode only in order to focus on the actual development first:

quarkus.http.cors=true
%dev.quarkus.http.cors.origins=/.*/

仅为开发模式启用所有根源。不建议在生产环境中允许所有根源,因为它可能导致重大的安全风险。

Enable all origins exclusively for the dev profile. It is not advisable to permit all origins in a production environment, as it can lead to significant security risks.

References