Fix CORS response headers (#286)

namedgraph · claude · namedgraph · commit cd43ae934adb · 2026-04-11T23:39:17.000+02:00
* Move CORS headers from Java filters to nginx

Varnish caches responses without varying on Origin, so whether CORS
headers appear in cached responses depends on which request first
populated the cache. Moving CORS to nginx ensures the headers are
always present on every response regardless of cache state.

Removes JAX-RS CORSFilter and Tomcat CorsFilter (web.xml /static/*);
adds Access-Control-* headers and OPTIONS preflight (204) to nginx
location / blocks in both docker-compose.yml and nginx.conf.template.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* Add CORS header to /static/ nginx location blocks

The cors-static.sh test was failing because Access-Control-Allow-Origin
was only added to location / but not location ^~ /static/.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -204,6 +204,20 @@ configs:
               ssl_verify_client ${NGINX_SSL_VERIFY_CLIENT:-optional_no_ca};
 
               location / {
+                  add_header Access-Control-Allow-Origin "*" always;
+                  add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS" always;
+                  add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization" always;
+                  add_header Access-Control-Expose-Headers "Link, Content-Location, Location" always;
+
+                  if ($$request_method = OPTIONS) {
+                      add_header Access-Control-Allow-Origin "*";
+                      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS";
+                      add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization";
+                      add_header Access-Control-Expose-Headers "Link, Content-Location, Location";
+                      add_header Access-Control-Max-Age "1728000";
+                      return 204;
+                  }
+
                   proxy_pass http://linkeddatahub;
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
@@ -215,8 +229,6 @@ configs:
 
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
-
-                  # add_header Cache-Control "public, max-age=86400";
               }
 
               location ^~ /uploads/ {
@@ -238,6 +250,7 @@ configs:
                   proxy_pass http://linkeddatahub;
                   limit_req zone=static_files burst=50 nodelay;
 
+                  add_header Access-Control-Allow-Origin "*" always;
                   add_header Cache-Control "public, max-age=604800, immutable";
               }
           }
@@ -253,6 +266,20 @@ configs:
               ssl_verify_client optional_no_ca;
 
               location / {
+                  add_header Access-Control-Allow-Origin "*" always;
+                  add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS" always;
+                  add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization" always;
+                  add_header Access-Control-Expose-Headers "Link, Content-Location, Location" always;
+
+                  if ($$request_method = OPTIONS) {
+                      add_header Access-Control-Allow-Origin "*";
+                      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS";
+                      add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization";
+                      add_header Access-Control-Expose-Headers "Link, Content-Location, Location";
+                      add_header Access-Control-Max-Age "1728000";
+                      return 204;
+                  }
+
                   proxy_pass http://linkeddatahub;
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
@@ -269,6 +296,8 @@ configs:
               location ^~ /static/ {
                   proxy_pass http://linkeddatahub;
                   limit_req zone=static_files burst=50 nodelay;
+
+                  add_header Access-Control-Allow-Origin "*" always;
               }
           }
 
diff --git a/http-tests/misc/cors-jaxrs.sh b/http-tests/misc/cors-jaxrs.sh
@@ -7,7 +7,7 @@ purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
 purge_cache "$FRONTEND_VARNISH_SERVICE"
 
-# Test JAX-RS CORSFilter on dynamic content (GET request)
+# Test nginx CORS headers on dynamic content (GET request)
 
 response=$(curl -i -k -s \
   -H "Origin: https://example.com" \
diff --git a/src/main/java/com/atomgraph/linkeddatahub/Application.java b/src/main/java/com/atomgraph/linkeddatahub/Application.java
@@ -105,7 +105,6 @@
 import com.atomgraph.linkeddatahub.server.filter.request.AuthorizationFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.ContentLengthLimitFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.auth.ProxiedWebIDFilter;
-import com.atomgraph.linkeddatahub.server.filter.response.CORSFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.ResponseHeadersFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.XsltExecutableFilter;
@@ -1126,7 +1125,6 @@ protected void registerContainerRequestFilters()
      */
     protected void registerContainerResponseFilters()
     {
-        register(new CORSFilter());
         register(new ResponseHeadersFilter());
         register(new XsltExecutableFilter());
         if (isInvalidateCache()) register(new CacheInvalidationFilter());
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/filter/response/CORSFilter.java b/src/main/java/com/atomgraph/linkeddatahub/server/filter/response/CORSFilter.java
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
@@ -373,23 +373,7 @@ support@atomgraph.com]]></param-value>
         <servlet-name>com.atomgraph.linkeddatahub.Application</servlet-name>
         <url-pattern>/*</url-pattern>
     </servlet-mapping>
-    <filter>
-        <filter-name>CORS filter</filter-name>
-        <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
-        <init-param>
-            <param-name>cors.allowed.origins</param-name>
-            <param-value>*</param-value>
-        </init-param>
-        <init-param>
-            <param-name>cors.allowed.methods</param-name>
-            <param-value>GET,HEAD,OPTIONS</param-value>
-        </init-param>
-    </filter>
-    <filter-mapping>
-        <filter-name>CORS filter</filter-name>
-        <url-pattern>/static/*</url-pattern>
-    </filter-mapping>
-    <filter>
+<filter>
         <filter-name>HSTS filter</filter-name>
         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
         <init-param>
