4.x CORS is active even if not configured and not explicitly added programmatically

[tjquinno]

Environment Details

• Helidon Version: 4.0.0
• Helidon SE or Helidon MP
• JDK version:
• OS:
• Docker version (if applicable):

---

Problem Description

Helidon's CORS processing responds to CORS requests even if there is no cors configuration and even if CORS is not set up programmatically.

NOTE: This is not an issue in the CORS code itself but rather, apparently, in how the server discovers and activates CORS.

This is a major change in behavior from Helidon 3.

Previously, if the user did not explicitly configure CORS (or programmatically add CORS support to an SE app) then Helidon's CORS processing was never invoked.

By contrast, in Helidon 4 a request with CORS headers is processed by Helidon's CORS implementation by default, without cors configuration or explicit code adding CORS support.

Further, the CORS processing uses default CORS settings which are permissive.

Running mvn dependency:tree on the SE QuickStart app shows that the health observer brings in helidon-webserver-observe which brings in CORS. (Same for the metrics observer if you comment out the health dependencies from the pom.xml file.)

Steps to reproduce

1. With the Helidon 3 SE QuickStart app:
   1. Build and run the app.
   2. Submit the following request: curl -i -X GET -H "Origin: http://foo.com" -H "Host: here.com" http://localhost:8080/greet
   3. The output includes no CORS headers.
2. Do the same with the Helidon 4 SE QuickStart app:
   1. Build it and run it.
   2. Submit the same request as above.
   3. Note the CORS headers in the returned response.