Changed Behavior when no CORS Configuration is Used

The default behavior on a missing configuration however was changed correspondingly to the CORS configuration provided by Spring GraphQL. On missing configuration, CORS protection is now disabled. Consequently, this change is considered breaking for those deployments, missing any CORS configuration. Existing CORS configurations should work as before.

With the introduction of the Spring GraphQL library, CORS got its own configuration properties for the /graphql endpoint. When the configuration properties are missing, CORS is effectively disabled for the /graphql endpoint, resulting in the so called Same-Origin-Policy. This means, CORS preflight requests are denied and CORS protection on the endpoint is disabled. The Same-Origin-Policy is effectively enforced by the client browser.

The generic CORS configuration properties caas.cors.* are still available, as they are potentially necessary for a CORS configuration on other endpoints, like /caas/v1/media.