CORS headers in event bus info request

[thrana...@gmail.com]

Hi all,

We are using Vertx version 3.8.5

Our javascript web application creates an event bus connection from the front end with java backend. Everything works fine in terms of communication. But when we analyzed against security eventbus info request always send 'Access-Control-Allow-Origin:*' as a header in the response. We don't need to have cross-domain requests and we use a single domain.

When further analysis with the issue we saw that it was set by 'io.vertx.ext.web.handler.sockjs.impl.BaseTransport#setCORS'. Chrome dev tools show us that the application does not send origin header in the request.

Is there a specific option that needs to be set in the Event bus initialization options on javascript side? 

Following is how we initialize eventbus at the client-side

this.url =  ' https://10.97.135.21:10650/eventbus';

var options = {
vertxbus_reconnect_attempts_max: Infinity, // Max reconnect attempts
vertxbus_reconnect_delay_min: 1000, // Initial delay (in ms) before first reconnect attempt
vertxbus_reconnect_delay_max: 5000, // Max delay (in ms) between reconnect attempts
vertxbus_reconnect_exponent: 2, // Exponential backoff factor
vertxbus_randomization_factor: 0.5 // Randomization factor between 0 and 1
};
options.transports = ['websocket'];
this.eventBus = new EventBus(this.url,options);

[thrana...@gmail.com]

Chrome dev tool request.

1. Request URL:
   https://10.97.135.21:10650/eventbus/info?t=1610000790624
2. Request Method:
   GET
3. Status Code:
   200 OK
4. Remote Address:
   10.97.135.21:10650
5. Referrer Policy:
   strict-origin-when-cross-origin
1. Response Headersview source
   1. Access-Control-Allow-Credentials:
      false
   2. Access-Control-Allow-Origin:
      *
   3. Cache-Control:
      no-store, no-cache, no-transform, must-revalidate, max-age=0
   4. content-encoding:
      gzip
   5. content-length:
      97
   6. Content-Type:
      application/json; charset=UTF-8
2. Request Headersview source
   1. Accept:
      */*
   2. Accept-Encoding:
      gzip, deflate, br
   3. Accept-Language:
      en-US,en;q=0.9
   4. Connection:
      keep-alive
   5. Cookie:
      mrs-web.session=d2dea831866b384a263e973864d485df
   6. Host:
      10.97.135.21:10650
   7. Referer:
      https://10.97.135.21:10650/mrs/
   8. Sec-Fetch-Dest:
      empty
   9. Sec-Fetch-Mode:
      cors
   10. Sec-Fetch-Site:
       same-origin
   11. User-Agent:
       Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
3. Query String Parametersview sourceview URL encoded
   1. t:
      1610000790624