Spring boot cors 설정시 주의점

CorsConfiguration 설정시 setAllowedOriginPatterns을 주의해야 한다.

 

해당값에 *을 주게되면 포트, 도메인, 프로토콜중 2개이상 같다면 동일 취급해버린다.

 

정확한 내용은 spring doc에서 확인 가능하다.

 

https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html#setAllowedOriginPatterns(java.util.List)

CorsConfiguration (Spring Framework 6.2.0 API)

 

public CorsConfiguration setAllowedOriginPatterns(@Nullable
 List<String> allowedOriginPatterns)
Alternative to setAllowedOrigins(java.util.List<java.lang.String>) that supports more flexible origins patterns with "*" anywhere in the host name in addition to port lists. Examples:
https://*.domain1.com -- domains ending with domain1.com
https://*.domain1.com:[8080,8081] -- domains ending with domain1.com on port 8080 or port 8081
https://*.domain1.com:[*] -- domains ending with domain1.com on any port, including the default port
comma-delimited list of patters, for example, "https://*.a1.com,https://*.a2.com"; this is convenient when a value is resolved through a property placeholder, for example, "${origin}"; note that such placeholders must be resolved externally.
In contrast to allowedOrigins which only supports "*" and cannot be used with allowCredentials or allowPrivateNetwork, when an allowedOriginPattern is matched, the Access-Control-Allow-Origin response header is set to the matched origin and not to "*" nor to the pattern. Therefore, allowedOriginPatterns can be used in combination with setAllowCredentials(java.lang.Boolean) and setAllowPrivateNetwork(java.lang.Boolean) set to true.

By default this is not set.

Since:
5.3

 

따라서 정확히 제한된 도메인에서만 적용하려면 해당 옵션을 disable해야한다.