Different header behavior CORS vs CSP #4065
Description
I've noticed an difference in how Spring handles header merging for CORS vs Content Security Policy (CSP) when using Spring Cloud Gateway with upstream services that also set these headers.
Current Behavior
CORS Headers
- CORS headers from the gateway and upstream services are automatically merged when both services set CORS
- This works seamlessly without additional configuration
CSP Headers
- No merge functionality exists for CSP headers
- When an upstream service sets CSP headers, the gateway's CSP configuration is completely ignored
Expected Behavior
I would expected both CORS and CSP should behave consistently. Either:
- Both should support automatic merging, or
- Both should explicitly overwrite without merging
I also found no documentation on this behavior. I this spring default behavior or something special in spring cloud gateway?
Questions
- Is this difference intentional? If so, what's the reasoning behind treating CORS and CSP differently?
- Where can I find the merge logic for CORS?
- Is there a way to achieve consistent behavior? Should CSP get similar merge support, or should developers handle this at the application level?
Thanks