Jetty version(s)
jetty 12.1.8
Jetty Environment
ee8
HTTP version
HTTP 1.1
Java version/vendor (use: java -version)
penjdk version "17.0.18" 2026-01-20 LTS
OpenJDK Runtime Environment Corretto-17.0.18.9.1 (build 17.0.18+9-LTS)
OpenJDK 64-Bit Server VM Corretto-17.0.18.9.1 (build 17.0.18+9-LTS, mixed mode, sharing)
OS type/version
docker container jetty:12.1.8-jdk17-eclipse-temurin
Description
if you configure the CrossOriginHandler with allowed headers "*" and credentials enabled, it will incorrectly return the header "Access-Control-Allow-Headers: *" for a preflight response. According to the spec, "*" is an invalid response for a cors preflight request with credentials enabled. the deprecated CrossOriginFilter correctly reflects the requested headers in the response in this situation.
How to reproduce?
configure the CrossOriginHandler with allowed headers "*" and credentials enabled and make a preflight request with requested headers.
Jetty version(s)
jetty 12.1.8
Jetty Environment
ee8
HTTP version
HTTP 1.1
Java version/vendor
(use: java -version)penjdk version "17.0.18" 2026-01-20 LTS
OpenJDK Runtime Environment Corretto-17.0.18.9.1 (build 17.0.18+9-LTS)
OpenJDK 64-Bit Server VM Corretto-17.0.18.9.1 (build 17.0.18+9-LTS, mixed mode, sharing)
OS type/version
docker container jetty:12.1.8-jdk17-eclipse-temurin
Description
if you configure the CrossOriginHandler with allowed headers
"*"and credentials enabled, it will incorrectly return the header"Access-Control-Allow-Headers: *"for a preflight response. According to the spec,"*"is an invalid response for a cors preflight request with credentials enabled. the deprecated CrossOriginFilter correctly reflects the requested headers in the response in this situation.How to reproduce?
configure the CrossOriginHandler with allowed headers
"*"and credentials enabled and make a preflight request with requested headers.