Has anyone seen any CORS related issues between Lucee and

from cfml Slack

Has anyone seen any CORS related issues between Lucee and Running a javascript app on my local dev machine connecting to a local Lucee server (Commandbox) I am seeing random CORS errors when making requests (Taffy API). I can hit the same api endpoint 5 times and 1 out of the 5 will return a CORS error when on Lucee If I simply stop the server and then start again with Lucee no more CORS errors. It is happening intermittently on most of my API endpoints. I recently deployed the API to AWS with Lucee and started seeing the same random CORS errors - reverted back to and they are gone.

Here’s the error in the browser console:

Access to XMLHttpRequest at 'https://api.test:8080/v3/organisations/' from origin '[https://app.test](https://app.test/)' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

we then worked out it starts with

since 5.3.9-SNAPSHOT+151

So the functioning GET request running on the +150 snapshot for the /organisations endpoint has the following Reponse Headers:

access-control-allow-headers: Origin, Authorization, X-CSRF-Token, X-Requested-With, Content-Type, X-HTTP-Method-Override, Accept, Referrer, User-Agent access-control-allow-methods: GET,POST access-control-allow-origin: * allow: GET,POST content-encoding: gzip content-language: en-GB content-type: application/json;charset=utf-8 date: Thu, 08 Sep 2022 15:51:18 GMT x-time-in-cache-check: 0 x-time-in-cache-save: 0 x-time-in-ontaffyrequest: 336 x-time-in-ontaffyrequestend: 0 x-time-in-parse: 0 x-time-in-resource: 373 x-time-in-serialize: 0 x-time-in-taffy: 0

In +151 for a failing /organisations request:
Response Headers:

content-encoding: gzip content-length: 4072 content-type: text/html;charset=UTF-8 date: Thu, 08 Sep 2022 15:58:36 GMT

code changes in question

anyone else having problems?

I didn’t test .160 but I can see from your CORS error, that the request is coming from a different port than the enpoint (8080 vs omitted 443). The ports in the CORS are part of the domain that need to match as origin and endpoint. Anyway you can check if that port is changing or jumpimg from 8080 and back or being rewritten somehow?

Update: now I see the point. Going to verify as soon as I can.