Understanding Same-Origin Policy and Solving CORS Issues in Spring Boot

Same‑Origin Policy (SOP) is a browser security rule introduced by Netscape in 1995 that restricts how documents or scripts loaded from one origin can interact with resources from another origin.

Two URLs are considered same‑origin only when they share the same protocol, domain name, and port; otherwise they are cross‑origin and browsers block certain operations such as reading cookies, LocalStorage, IndexedDB, accessing the DOM, or sending AJAX requests.

The article explains the purpose of SOP—to protect user data and prevent malicious sites from stealing cookies or impersonating users—and lists the three main restrictions applied to non‑same‑origin requests.

To overcome AJAX cross‑origin errors, three common techniques are introduced: JSONP, WebSocket, and the modern CORS (Cross‑Origin Resource Sharing) standard, which allows servers to declare which origins may access their resources.

For a Spring Boot application, three practical ways to enable CORS are demonstrated.

1. Annotation method: add @CrossOrigin (or @CrossOrigin(origins = "http://127.0.0.1:8086", maxAge = 3600)) on a controller or specific handler method.

@Controller
@CrossOrigin
public class ApiController {
    @GetMapping("/index")
    public String index(HttpServletRequest request) {
        request.getSession().setMaxInactiveInterval(60*30);
        return "index";
    }
}

2. Filter method: implement a servlet filter that sets the appropriate Access‑Control‑* response headers.

@Component
public class CorsFilter implements Filter {
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, HEAD");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers",
                "access-control-allow-origin, authority, content-type, version-info, X-Requested-With");
        chain.doFilter(req, res);
    }
}

3. Configuration method: extend WebMvcConfigurerAdapter (or implement WebMvcConfigurer ) and override addCorsMappings to define global CORS rules.

@Component
public class WebMvcConfig extends WebMvcConfigurerAdapter {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowCredentials(true)
                .allowedOrigins("*")
                .allowedMethods("POST", "GET", "PUT", "OPTIONS", "DELETE")
                .maxAge(3600)
                .allowedHeaders("*");
    }
}

With any of these approaches, AJAX requests from http://127.0.0.1:8086 to http://127.0.0.1:8866 will succeed without being blocked by the browser’s CORS policy.