Fix CORS response headers

docker-compose.yml

@@ -204,6 +204,20 @@ configs:
               ssl_verify_client ${NGINX_SSL_VERIFY_CLIENT:-optional_no_ca};
 
               location / {
+                  add_header Access-Control-Allow-Origin "*" always;
+                  add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS" always;
+                  add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization" always;
+                  add_header Access-Control-Expose-Headers "Link, Content-Location, Location" always;
+
+                  if ($$request_method = OPTIONS) {
+                      add_header Access-Control-Allow-Origin "*";
+                      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS";
+                      add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization";
+                      add_header Access-Control-Expose-Headers "Link, Content-Location, Location";
+                      add_header Access-Control-Max-Age "1728000";
+                      return 204;
+                  }
+
                   proxy_pass http://linkeddatahub;
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
@@ -215,8 +229,6 @@ configs:
 
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
-
-                  # add_header Cache-Control "public, max-age=86400";
               }
 
               location ^~ /uploads/ {
@@ -238,6 +250,7 @@ configs:
                   proxy_pass http://linkeddatahub;
                   limit_req zone=static_files burst=50 nodelay;
 
+                  add_header Access-Control-Allow-Origin "*" always;
                   add_header Cache-Control "public, max-age=604800, immutable";
               }
           }
@@ -253,6 +266,20 @@ configs:
               ssl_verify_client optional_no_ca;
 
               location / {
+                  add_header Access-Control-Allow-Origin "*" always;
+                  add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS" always;
+                  add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization" always;
+                  add_header Access-Control-Expose-Headers "Link, Content-Location, Location" always;
+
+                  if ($$request_method = OPTIONS) {
+                      add_header Access-Control-Allow-Origin "*";
+                      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS";
+                      add_header Access-Control-Allow-Headers "Accept, Content-Type, Authorization";
+                      add_header Access-Control-Expose-Headers "Link, Content-Location, Location";
+                      add_header Access-Control-Max-Age "1728000";
+                      return 204;
+                  }
+
                   proxy_pass http://linkeddatahub;
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
@@ -269,6 +296,8 @@ configs:
               location ^~ /static/ {
                   proxy_pass http://linkeddatahub;
                   limit_req zone=static_files burst=50 nodelay;
+
+                  add_header Access-Control-Allow-Origin "*" always;
               }
           }
 

http-tests/misc/cors-jaxrs.sh

@@ -7,7 +7,7 @@ purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
 purge_cache "$FRONTEND_VARNISH_SERVICE"
 
-# Test JAX-RS CORSFilter on dynamic content (GET request)
+# Test nginx CORS headers on dynamic content (GET request)
 
 response=$(curl -i -k -s \
   -H "Origin: https://example.com" \

src/main/java/com/atomgraph/linkeddatahub/Application.java

@@ -105,7 +105,6 @@
 import com.atomgraph.linkeddatahub.server.filter.request.AuthorizationFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.ContentLengthLimitFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.auth.ProxiedWebIDFilter;
-import com.atomgraph.linkeddatahub.server.filter.response.CORSFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.ResponseHeadersFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.XsltExecutableFilter;
@@ -1126,7 +1125,6 @@ protected void registerContainerRequestFilters()
      */
     protected void registerContainerResponseFilters()
     {
-        register(new CORSFilter());
         register(new ResponseHeadersFilter());
         register(new XsltExecutableFilter());
         if (isInvalidateCache()) register(new CacheInvalidationFilter());

src/main/webapp/WEB-INF/web.xml

@@ -373,23 +373,7 @@ support@atomgraph.com]]></param-value>
         <servlet-name>com.atomgraph.linkeddatahub.Application</servlet-name>
         <url-pattern>/*</url-pattern>
     </servlet-mapping>
-    <filter>
-        <filter-name>CORS filter</filter-name>
-        <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
-        <init-param>
-            <param-name>cors.allowed.origins</param-name>
-            <param-value>*</param-value>
-        </init-param>
-        <init-param>
-            <param-name>cors.allowed.methods</param-name>
-            <param-value>GET,HEAD,OPTIONS</param-value>
-        </init-param>
-    </filter>
-    <filter-mapping>
-        <filter-name>CORS filter</filter-name>
-        <url-pattern>/static/*</url-pattern>
-    </filter-mapping>
-    <filter>
+<filter>
         <filter-name>HSTS filter</filter-name>
         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
         <init-param>