Skip to content

Javadoc for HttpSecurity.cors(Customizer<CorsConfigurer<HttpSecurity>>) gives the impression that CORS is opt-in but that's no longer the case #19139

Open
#19143
Open
Javadoc for HttpSecurity.cors(Customizer<CorsConfigurer<HttpSecurity>>) gives the impression that CORS is opt-in but that's no longer the case#19139
#19143
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@wilkinsona

Description

@wilkinsona
wilkinsona
opened on Apr 30, 2026

The javadoc for HttpSecurity.cors(Customizer<CorsConfigurer<HttpSecurity>>) gives the impression that CORS is opt-in. Since the changes made for #5011 and #15444 that's no longer the case with a single UrlBasedCorsConfigurationSource bean now being sufficient to enable CORS without using the cors portion of the security configuration DSL.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions