Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello Ory community :wave:

I'm wondering what I'm doing wrong when configuring the CORS for the public URLs.
My config looks something like in my local docker-compose.yaml:
```      - SERVE_PUBLIC_CORS_ENABLED=true
      - SERVE_PUBLIC_CORS_DEBUG=true
      - SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<https://www.allowed.com>
      - SERVE_PUBLIC_CORS_ALLOWED_METHODS=POST
      - SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=false```
But then when I run
```curl --location --request OPTIONS 'localhost:4444/oauth2/token' \
--header 'Origin: <https://www.hacker.com>' \
--header 'Access-Control-Request-Method: GET'```
I get in my return headers:
```Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: <https://www.hacker.com>
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Date: ...```
Which should not be allowed origins nor methods :disappointed:

What am I misunderstanding or doing wrong? :slightly_smiling_face: :pray:

It seems that on the preflight requests, all methods and origins are accepted, if the settings are specified.
However, I expect them to be set correctly and forbid cross origin calls on the "real" call (not the OPTIONS one).