Package org.springframework.web.bind.annotation

Annotation Type CrossOrigin

  • @Target({METHOD,TYPE})
@Retention(RUNTIME)
@Documented
public @interface CrossOrigin
    Marks the annotated method or type as permitting cross origin requests.

    By default all origins and headers are permitted, credentials are not allowed, and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP methods is set to the methods on the @RequestMapping if not explicitly set on @CrossOrigin.

    NOTE:@CrossOrigin is processed if an appropriate HandlerMapping-HandlerAdapter pair is configured such as the RequestMappingHandlerMapping-RequestMappingHandlerAdapter pair which are the default in the MVC Java config and the MVC namespace. In particular @CrossOrigin is not supported with the DefaultAnnotationHandlerMapping-AnnotationMethodHandlerAdapter pair both of which are also deprecated.

    Since:
    4.2
    Author:
    Russell Allen, Sebastien Deleuze, Sam Brannen

      • origins

        @AliasFor("value")
String[] origins
        List of allowed origins, e.g. "https://domain1.com".

        These values are placed in the Access-Control-Allow-Origin header of both the pre-flight response and the actual response. "*" means that all origins are allowed.

        If undefined, all origins are allowed.

        Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the ForwardedHeaderFilter in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.

        See Also:
        value()
        Default:
        {}

      • allowedHeaders

        String[] allowedHeaders
        List of request headers that can be used during the actual request.

        This property controls the value of the pre-flight response's Access-Control-Allow-Headers header. "*" means that all headers requested by the client are allowed.

        If undefined, all requested headers are allowed.

        Default:
        {}

      • exposedHeaders

        String[] exposedHeaders
        List of response headers that the user-agent will allow the client to access.

        This property controls the value of actual response's Access-Control-Expose-Headers header.

        If undefined, an empty exposed header list is used.

        Default:
        {}

      • methods

        RequestMethod[] methods
        List of supported HTTP request methods, e.g. "{RequestMethod.GET, RequestMethod.POST}".

        Methods specified here override those specified via RequestMapping.

        If undefined, methods defined by RequestMapping annotation are used.

        Default:
        {}

      • allowCredentials

        String allowCredentials
        Whether the browser should include any cookies associated with the domain of the request being annotated.

        Set to "false" if such cookies should not included. An empty string ("") means undefined. "true" means that the pre-flight response will include the header Access-Control-Allow-Credentials=true.

        If undefined, this is set to "false" in which case credentials are not allowed.

        Default:
        ""

      • maxAge

        long maxAge
        The maximum age (in seconds) of the cache duration for pre-flight responses.

        This property controls the value of the Access-Control-Max-Age header in the pre-flight response.

        Setting this to a reasonable value can reduce the number of pre-flight request/response interactions required by the browser. A negative value means undefined.

        If undefined, max age is set to 1800 seconds (i.e., 30 minutes).

        Default:
        -1L