Turning off CORS

We are doing some testing on play framework. I disabled CORS in the conf file
play.filters.disabled += “play.filters.csrf.CSRFFilter”
and when I run curl commands it works. However Chrome sends
Sec-Fetch-Mode: cors and I am unable to set turn it off and Play rejects/does not accept the call. Is there any way to change the configuration to accept the call regardless of what’s passed from the browser ?

You did not disable CORS, you disabled CSRF. If you want to disable the CORS filter use:

play.filters.disabled += "play.filters.cors.CORSFilter"

Or you can completly disable the module(s) as well:

play.modules {
  disabled += "play.filters.cors.CORSModule"
  // same with CSRF module:
  disabled += "play.filters.csrf.CSRFModule"
1 Like

Can’t thank you for the help. That works now.

Mean to say Can’t thank you enough - not Can’t thank you :slightly_smiling_face:

1 Like

Hi Mathias.
I did the following. I do have a valid certificate - mobile.pm2c.net.
However play complains
Using generated key with self signed certificate for HTTPS. This should NOT be used in production.
How do I fix this ?
Thank you

Where do you have this certificate? I mean did you configure Play to use it or is there nginx or something in between?

How do you run Play? Are you sure you run it in production mode

Hi Matthias,
AWS issued the certificate. If I use curl commands or in the browser it works. We are working with an external provider. They are using react local server.

The command I am using is
mobile-1.0/bin/mobile -Dhttps.port=443 -Dconfig.file=mobile-1.0/conf/application.conf -Dlogger.resource=logback.xml -Duser.timezone=GMT > app.out &

application.conf has the following related to CORS …
play.filters.hosts.allowed = ["."]

disable csrf for curl testing

play.filters.disabled += “play.filters.csrf.CSRFFilter”

play.filters.disabled += “play.filters.cors.CORSFilter”

play.http.secret.key= …

Thank you

Hi Mathias
AWS issued the certificate for pm2.net and we are using a load balancer. I see the following message in the backend with logging turned on
Using generated key with self signed certificate for HTTPS. This should NOT be used in production.

2021-05-11 07:26:33,144 - [INFO] - from play.core.server.AkkaHttpServer in main

Enabling HTTP/2 on Akka HTTP server…

2021-05-11 07:26:33,147 - [INFO] - from play.core.server.AkkaHttpServer in main

Listening for HTTP on /0:0:0:0:0:0:0:0:9000

2021-05-11 07:26:33,150 - [INFO] - from play.core.server.AkkaHttpServer in main

Listening for HTTPS on /0:0:0:0:0:0:0:0:443

Seems like play server is using a “self generated key” How do I make it to use the production SSL certificate we have from AWS ?

Thank you

Looking at play documentation I see the following at
Seems to suggest

  • play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
  • play.server.https.keyStore.type - The key store type, defaults to JKS
  • play.server.https.keyStore.password - The password, defaults to a blank password
  • play.server.https.keyStore.algorithm - The key store algorithm, defaults to the platforms default algorithm

Is this the issue ? If so how should add these conf file ?
Thank you.

I ran the command I saw on your website
openssl s_client -showcerts -connect mobile.pm2c.net:443
and I see a response something like …
C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2

Seems like a valid SSL certificate. How do I make Play server us it ?
Thank you

Thank you.

Hi Mathias
seems like whitelisting one URL from the same client is working. Isn’t whitelist for the client as a whole instead of a particular URL ?

Hi Mathias,
Here’s what we ended up adding in application.log in addition to filter and login works.
play.filters.cors.allowedOrigins = [“http://localhost:3000”]


play.filters.disabled += “play.filters.csrf.CSRFFilter”

play.filters.disabled += "play.filters.cors.CORSFilter

Any ideas as to why this works ? I don’t see why
play.filters.cors.allowedOrigins = [“http://localhost:3000”]

this makes a difference we can remove it. Do you know why we need to whitelist the Origins ?