P E N C I L
Login
CORS

Basics

For some simple request (ex: GET or POST with form data), request is always sent. Just response is blocked. Thus changing data must not be implemented with GET, POST form needs csrf

For other request(ex: POST with application/json), there is preflight request "OPTIONS" which check the response headers Access-Control-Allow-xxxx

Credential cross domain

Access-Control-Allow-Origin: * or only ONE domain.

(That means server has to check input header "Origin" and return it if it's good)

When "*" is used, it does not allowed HttpRequest withCredentials (ex: with cookie)

Example fetch request:

fetch('http://localhost:10005/url', { method: 'GET', headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer 1232321",
    "credentials": 'include'
  }}).then(o => o.json()).then(a => console.log(a))
  

Request with "credentails": 'included' is only take into account for cross domain. It sends cookies with request

Example network

  OPTIONS /api/customer-portal-api/v1/loan/all HTTP/1.1..Host: localhost:10005..Connection: keep-alive..Sec-Fetch-Mode: cors..Access-Control-Request-Method: GET..Origin: https://www.google.com..Us
  er-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36..Access-Control-Request-Headers: authorization,content-type,cre
  dentials..Accept: */*..Sec-Fetch-Site: cross-site..Referer: https://www.google.com/..Accept-Encoding: gzip, deflate, br..Accept-Language: en-US,en;q=0.9....
  
  
  Response:
    HTTP/1.1 200 ..Vary: Origin..Vary: Access-Control-Request-Method..Vary: Access-Control-Request-Headers..Access-Control-Allow-Origin: https://www.google.com..Access-Control-Allow-Methods: GET,HEA
  D,POST..Access-Control-Allow-Headers: authorization, content-type, credentials..Access-Control-Allow-Credentials: true..Access-Control-Max-Age: 1800..Allow: GET, HEAD, POST, PUT, DELETE, TRACE,
  OPTIONS, PATCH..X-Content-Type-Options: nosniff..X-XSS-Protection: 1; mode=block..Cache-Control: no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Expires: 0..X-Frame-Options: DE
  NY..Transfer-Encoding: chunked..Date: Wed, 09 Oct 2019 18:48:09 GMT....

Spring

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping(CORS_CONFIG_URL).allowedOrigins("*").allowCredentials(true);
            }
        };
    }

allowCredentils: true, server try to return header Access-allow-control-origin as the Origin domain rather than "*".