Spring MVC supports CORS with simple and pre-flight requests.

Spring MVC provides support for global CORS handling with a filter, but also local support with @CorsMapping annotations or a CorsConfiguration instance, which is provided to AbstractHandlerMapping implementations.

In the case of Servlet Functional Endpoints, the provided CorsConfiguration has no effect on pre-flight requests.

Here is a sample application:

@Configuration
public class SampleRouterConfig {

	@Bean
	public RouterFunction<ServerResponse> router() {
		return RouterFunctions.route()
				.POST("/function", (req) -> ServerResponse.ok().body("Hello"))
				.build();
	}
}

We can also set a custom CorsConfiguration on the RouterFunctionMapping.

In this case, the following request will not match any handler, and other HandlerMapping later in the chain will handle this:

OPTIONS http://localhost:8080/function
Origin: https://spring.io
Access-Control-Request-Method: POST

Other HandlerMapping implementations have additional checks in the request matching infrastructure to check requests with CorstUtils.isPreFlightRequest(request). See implementations of AbstractRequestCondition and also AbstractHandlerMethodMapping itself.

I'm wondering if we should have here additional RequestPredicates to locally manage CORS requests, or if existing predicates should look for pre-flight requests and match anyway.