A missing CORS configuration set allowed-origins to *. Now a missing configuration effectively disabled CORS protection, resulting in a “same origin policy only”.

For customer with an existing CORS configuration, this change is considered as non-breaking.

All customers without a CORS configuration will encounter potential CORS restrictions eventually leading to a non working client. Please review the necessary CORS settings and add them to Headless-Server configuration properties.

(CMS-24249)