from cfml Slack
Has anyone seen any CORS related issues between Lucee 5.3.9.141 and 5.3.9.160? Running a javascript app on my local dev machine connecting to a local Lucee server (Commandbox) I am seeing random CORS errors when making requests (Taffy API). I can hit the same api endpoint 5 times and 1 out of the 5 will return a CORS error when on Lucee 5.3.9.160. If I simply stop the server and then start again with Lucee 5.3.9.141 no more CORS errors. It is happening intermittently on most of my API endpoints. I recently deployed the API to AWS with Lucee 5.3.9.160 and started seeing the same random CORS errors - reverted back to 5.3.9.141 and they are gone.
Here’s the error in the browser console:
Access to XMLHttpRequest at 'https://api.test:8080/v3/organisations/' from origin '[https://app.test](https://app.test/)' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
we then worked out it starts with
since 5.3.9-SNAPSHOT+151
So the functioning GET request running on the +150 snapshot for the /organisations endpoint has the following Reponse Headers:
access-control-allow-headers: Origin, Authorization, X-CSRF-Token, X-Requested-With, Content-Type, X-HTTP-Method-Override, Accept, Referrer, User-Agent access-control-allow-methods: GET,POST access-control-allow-origin: * allow: GET,POST content-encoding: gzip content-language: en-GB content-type: application/json;charset=utf-8 date: Thu, 08 Sep 2022 15:51:18 GMT x-time-in-cache-check: 0 x-time-in-cache-save: 0 x-time-in-ontaffyrequest: 336 x-time-in-ontaffyrequestend: 0 x-time-in-parse: 0 x-time-in-resource: 373 x-time-in-serialize: 0 x-time-in-taffy: 0
In +151 for a failing /organisations request:
Response Headers:
content-encoding: gzip content-length: 4072 content-type: text/html;charset=UTF-8 date: Thu, 08 Sep 2022 15:58:36 GMT
code changes in question
anyone else having problems?