Package org.springframework.web.bind.annotation

Annotation Interface CrossOrigin

@Target({TYPE,METHOD}) @Retention(RUNTIME) @Documented public @interface CrossOrigin
Annotation for permitting cross-origin requests on specific handler classes and/or handler methods. Processed if an appropriate HandlerMapping is configured.

Both Spring Web MVC and Spring WebFlux support this annotation through the RequestMappingHandlerMapping in their respective modules. The values from each type and method level pair of annotations are added to a CorsConfiguration and then default values are applied via CorsConfiguration.applyPermitDefaultValues().

The rules for combining global and local configuration are generally additive -- for example, all global and all local origins. For those attributes where only a single value can be accepted such as allowCredentials and maxAge, the local overrides the global value. See CorsConfiguration.combine(CorsConfiguration) for more details.

Since:
4.2
Author:
Russell Allen, Sebastien Deleuze, Sam Brannen, Ruslan Akhundov

  • Optional Element Summary

    Optional Elements
    Modifier and Type
    Optional Element
    Description
    String
    allowCredentials
    Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint.
    String[]
    allowedHeaders
    The list of request headers that are permitted in actual requests, possibly "*" to allow all headers.
    String
    allowPrivateNetwork
    Whether private network access is supported.
    String[]
    exposedHeaders
    The List of response headers that the user-agent will allow the client to access on an actual response, possibly "*" to expose all headers.
    long
    maxAge
    The maximum age (in seconds) of the cache duration for preflight responses.
    RequestMethod[]
    methods
    The list of supported HTTP request methods.
    String[]
    originPatterns
    Alternative to origins() that supports more flexible origin patterns.
    String[]
    origins
    A list of origins for which cross-origin requests are allowed.
    String[]
    value
    Alias for origins().

  • Element Details

    • value

      @AliasFor("origins") String[] value
      Alias for origins().
      Default:
      {}

    • origins

      @AliasFor("value") String[] origins
      A list of origins for which cross-origin requests are allowed. Please, see CorsConfiguration.setAllowedOrigins(List) for details.

      By default all origins are allowed unless originPatterns() is also set in which case originPatterns is used instead.

      Default:
      {}

    • originPatterns

      String[] originPatterns
      Alternative to origins() that supports more flexible origin patterns. Please, see CorsConfiguration.setAllowedOriginPatterns(List) for details.

      By default this is not set.

      Since:
      5.3
      Default:
      {}

    • allowedHeaders

      String[] allowedHeaders
      The list of request headers that are permitted in actual requests, possibly "*" to allow all headers. Please, see CorsConfiguration.setAllowedHeaders(List) for details.

      By default all requested headers are allowed.

      Default:
      {}

    • exposedHeaders

      String[] exposedHeaders
      The List of response headers that the user-agent will allow the client to access on an actual response, possibly "*" to expose all headers. Please, see CorsConfiguration.setExposedHeaders(List) for details.

      By default no headers are listed as exposed.

      Default:
      {}

    • methods

      RequestMethod[] methods
      The list of supported HTTP request methods. Please, see CorsConfiguration.setAllowedMethods(List) for details.

      By default the supported methods are the same as the ones to which a controller method is mapped.

      Default:
      {}

    • allowCredentials

      String allowCredentials
      Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. Please, see CorsConfiguration.setAllowCredentials(Boolean) for details.

      NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

      By default this is not set in which case the Access-Control-Allow-Credentials header is also not set and credentials are therefore not allowed.

      Default:
      ""

    • allowPrivateNetwork

      String allowPrivateNetwork
      Whether private network access is supported. Please, see CorsConfiguration.setAllowPrivateNetwork(Boolean) for details.

      By default this is not set (i.e. private network access is not supported).

      Since:
      5.3.32
      Default:
      ""

    • maxAge

      long maxAge
      The maximum age (in seconds) of the cache duration for preflight responses.

      This property controls the value of the Access-Control-Max-Age response header of preflight requests.

      Setting this to a reasonable value can reduce the number of preflight request/response interactions required by the browser. A negative value means undefined.

      By default this is set to 1800 seconds (30 minutes).

      Default:
      -1L