CORS not working in docker

tco · November 3, 2025, 9:25am

I'm running a docker container as follows.

$ docker run -d \
    -e SITE="Plone" \
    -e TYPE="classic" \
    -e CORS_ALLOW_ORIGIN="*" \
    -p 8080:8080 \
    --name mycontainer \
    plone/plone-backend:6.1.3

I'd expect CORS headers like Access-Control-Allow-Origin etc, but none of them seems to be sent:

$ curl -s -I -X GET "http://localhost:8080/Plone"

HTTP/1.1 200 OK
Content-Language: en
Content-Length: 16374
Content-Type: text/html;charset=utf-8
Date: Mon, 03 Nov 2025 08:45:18 GMT
Expires: Sat, 1 Jan 2000 00:00:00 GMT
Server: waitress
Via: waitress
X-Frame-Options: SAMEORIGIN
X-Powered-By: Zope (www.zope.dev), Python (www.python.org)

The file package-includes/999-cors-overrides.zcml is as follows (is the doubled embedded configure-tag ok?):

$ docker exec -it mycontainer cat /app/etc/package-includes/999-cors-overrides.zcml

<configure
  xmlns="http://namespaces.zope.org/zope">
  <configure
    xmlns="http://namespaces.zope.org/zope"
    xmlns:plone="http://namespaces.plone.org/plone">
    <plone:CORSPolicy
      allow_origin="*"
      allow_methods="DELETE,GET,OPTIONS,PATCH,POST,PUT"
      allow_credentials="true"
      expose_headers="Content-Length,X-My-Header"
      allow_headers="Accept,Authorization,Content-Type,X-Custom-Header,Lock-Token"
      max_age="3600"
     />
  </configure>
</configure>

davisagli · November 3, 2025, 4:53pm

You need to send an Origin header in your request when you test.

tco · November 3, 2025, 5:12pm

An Origin header seems not to make any difference:

$ curl -s -I -X GET "http://localhost:8080/Plone" -H "Origin: http://localhost"

HTTP/1.1 200 OK
Content-Language: en
Content-Length: 16199
Content-Type: text/html;charset=utf-8
Date: Mon, 03 Nov 2025 17:10:24 GMT
Expires: Sat, 1 Jan 2000 00:00:00 GMT
Server: waitress
Via: waitress
X-Frame-Options: SAMEORIGIN
X-Powered-By: Zope (www.zope.dev), Python (www.python.org)

Here with `--verbose``:

$ curl -s -I "http://localhost:8080/Plone" -H "Origin: http://localhost" -H "Access-Control-Request-Method: GET" --verbose
*   Trying ::1:8080...
* Connected to localhost (::1) port 8080 (#0)
> HEAD /Plone HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.74.0
> Accept: */*
> Origin: http://localhost
> Access-Control-Request-Method: GET
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Content-Length: 26
Content-Length: 26
< Content-Location: http://localhost:8080/Plone/
Content-Location: http://localhost:8080/Plone/
< Content-Type: application/json
Content-Type: application/json
< Date: Mon, 03 Nov 2025 17:14:29 GMT
Date: Mon, 03 Nov 2025 17:14:29 GMT
< Date: Mon, 03 Nov 2025 17:14:29 GMT
Date: Mon, 03 Nov 2025 17:14:29 GMT
< Server: waitress
Server: waitress
< Via: waitress
Via: waitress
< X-Powered-By: Zope (www.zope.dev), Python (www.python.org)
X-Powered-By: Zope (www.zope.dev), Python (www.python.org)

< 
* Connection #0 to host localhost left intact

davisagli · November 3, 2025, 5:31pm

Oh – the CORS policy is a feature provided by plone.rest for REST services, but you’re calling a view which is not a REST service.

tco · November 3, 2025, 5:45pm

Thas was it. Thanxs a lot.