Affects Version/s: None
Fix Version/s: None
If you access a locally running REST endpoint in the brower using the IP address 127.0.0.1 and the REST endpoint implementation is using the UriInfo to build a new URL by the URI builder (e.g. a created resource), the reply will not use the host as accessed (127.0.0.1) but replaces the host by "localhost".
If the web application then tries to access the location, the browsers will block that request because of a cross origin access.
Assume a very simple REST endpoint:
But that is not the case...
The response provides "http://localhost:8080/foo/bar"
If the website that is accessed using 127.0.0.1 provides a location using localhost and that one is used by the browser, the browser fails because of CORS.
I already looked at the sources who is causing the change from 127.0.0.1 to localhost and found it:
After the line https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83 has been executed the variable u looks like http://127.0.0.1:8080/
After that "toAbsoluteUri" of HttpUtils is called.
That's the part of the code that replaces 127.0.0.1 by localhost https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391
The commit that added that part of code is https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314
The git commit referenced the wrong Jira (2007) - it should have been https://issues.apache.org/jira/browse/CXF-5007