Define Additional CORS Headers

[ZuSe]

Is there any possibility to add custom cors headers to the whitelist? I have some crazy web app which is adding an sentry-trace header to all requests, for whatever reason.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://my-server.dev/fhir/QuestionnaireResponse?_format=json&_pretty=false&subject=Patient/24bfcc75-ef9a-475d-a863-fa35d5f47bc1. (Reason: header ‘sentry-trace’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).

[jkiddo]

Have you checked the documentation at https://github.com/hapifhir/hapi-fhir-jpaserver-starter/blob/40d7b9ce27355fedb3fb70fcd79a09d7bd8290bb/src/main/resources/application.yaml#L108 - there may be some options to allow such use

[ZuSe]

As far as I can see it only supports a list of additional hostnames, but no custom headers as I wrote above :/

[lanesky]

You might want to define your own CORS configuration directly in the code to allow additional headers.

https://github.com/hapifhir/hapi-fhir-jpaserver-starter/blob/master/src/main/java/ca/uhn/fhir/jpa/starter/BaseJpaRestfulServer.java#L274-L284

    if (appProperties.getCors() != null) {
    	ourLog.info("CORS is enabled on this server");
      CorsConfiguration config = new CorsConfiguration();
      config.addAllowedHeader(HttpHeaders.ORIGIN);
      config.addAllowedHeader(HttpHeaders.ACCEPT);
      config.addAllowedHeader(HttpHeaders.CONTENT_TYPE);
      config.addAllowedHeader(HttpHeaders.AUTHORIZATION);
      config.addAllowedHeader(HttpHeaders.CACHE_CONTROL);
      config.addAllowedHeader("x-fhir-starter");
      config.addAllowedHeader("X-Requested-With");
      config.addAllowedHeader("Prefer");

[ZuSe]

That's exactly what we did. Question was more if we want to provide it as part of the config