Any way to configure allowedOrigins on the graphql servlet for Cors requests?

[Mrman]

Firstly, big thanks for putting this altogether! Saved me a huge amount of time already.

From what I can see in GraphQLWebAutoConfiguration with graphql.servlet.corsEnabled=true uses the default permit all:

CorsConfiguration corsConfiguration = new CorsConfiguration().applyPermitDefaultValues();

Am I missing where I can configure the allowedOrigins for Cors requests through config or is this not currently supported?

Cheers

[oliemansm]

It's not configurable at the moment. I added this for the next release. You'll be able to use the property graphql.servlet.cors.allowed-origins. The other properties of CorsConfiguration are configurable that way too.

[Mrman]

Awesome, thanks @oliemansm! Looking forward to 7.1.0 being released.

[oliemansm]

@Mrman You could try it out already with snapshot 7.1.0-SNAPSHOT if you want to. Just add the snapshot repository to your project: https://github.com/graphql-java-kickstart/graphql-spring-boot#snapshots.

[maxiwu]

@Mrman You could try it out already with snapshot 7.1.0-SNAPSHOT if you want to. Just add the snapshot repository to your project: https://github.com/graphql-java-kickstart/graphql-spring-boot#snapshots.

Will it work if I override addCorsMappings() in CorsConfiguration and @EnableWebFlux?
Which bean or class is responsible for CORS of graphql running on Netty?

UPDATE:
I made it work. But the Mapping has to be "/graphql/**"

[Thinkenterprise]

Why is it not just possible to configure using the Web MVC Configuration like this:

@Bean
public WebMvcConfigurer corsConfigurer() {
	return new WebMvcConfigurer() {
	  @Override
	  public void addCorsMappings(CorsRegistry registry) {
	    registry.addMapping("/graphql").allowedOrigins("http://someOtherOrigins");
	}
    };
}

[oliemansm]

@Thinkenterprise It's just by chance I'm seeing this comment on the closed issue, but we generally don't notice these. Since we've enabled Discussions on the projects, best next time to ask the question there and link it to this issue.

Having said that I'm not sure what'll happen when you configure it using WebMvcConfigurer. When using the configuration options as provided by the library it'll create a CorsFilter bean which is used to protect the servlet.