CORS: Restrictions for "Access-Control-Allow-Origin" header only applies to the OPTIONS request and ignored for other HTTP requests

[ryuferev]

We are trying to enforce restricted access to the server ONLY from the "trusted" websites via CORS. We apply restrictions to the origins, methods, and headers. Those restrictions only apply to the OPTIONS requests, and the server is ignoring them for all other request types.

To Reproduce

Expected behavior
The server is rejecting all requests except whitelisted in cfg.http.cors.(origins, methods, header). The server responds with HTTP 403 and includes Vary: Origin header for invalid (not whitelisted) domain.

Actual behavior:
When the browser is sending the OPTIONS request, the server provides allowed methods/headers for the origin, but still allows all requests from all origins (it means that the browser still can make GET, POST, and other requests regardless of the origin and server doesn't reject it)

Steps to reproduce the behavior:

there is a fragment of the code below where we set the allowed origins, methods, header:

    // cfg.http.cors.allowedOrigins = ["https://test.com/"]
    // cfg.http.cors.allowedMethods = ["GET","POST","PATCH","PUT","DELETE","OPTIONS","HEAD"]
    // cfg.http.cors.allowedHeaders = ["*"]
    CorsConfig(
      allowedOrigin = {
        case origin if cfg.http.cors.anyOrigin || cfg.http.cors.allowedOrigins.contains(render(origin)) =>
          Some(AccessControlAllowOrigin.Specific(origin))
        case _ => None
      }
      allowCredentials = Header.AccessControlAllowCredentials.allow(cfg.http.cors.allowCredentials),
      allowedMethods = allowedMethods,
      allowedHeaders = allowedHeaders
    )

This issue causes a violation of security compliance requirements and blocks our component's integration :(

Thank you!
Roman.