Using http filter config is disabling CORS options

[ia3andy]

Describe the bug

When using a filter, it doesn't add the CORS headers anymore.

quarkus.resteasy-reactive.path=/api

quarkus.http.filter.api.header."X-Content-Type-Options"=nosniff
quarkus.http.filter.api.header."X-Frame-Options"=deny
quarkus.http.filter.api.header."Strict-Transport-Security"=max-age=31536000; includeSubDomains
quarkus.http.filter.api.header."Content-Security-Policy"=default-src 'none';
quarkus.http.filter.api.matches=/api/.+
quarkus.http.filter.api.order=1

quarkus.http.cors=true
quarkus.http.cors.origins=/.*/

Expected behavior

The cors headers (or any header that is set up elsewhere) should be added in addition to the other headers

Actual behavior

The cors headers are removed

How to Reproduce?

Clone this and start https://github.com/ia3andy/reproducer-cors with quarkus dev

Use this in you browser console (on a tab with a different domain opened):

fetch("http://localhost:8080/api/hello").then(r => r.text()).then(console.log)

It fails with CORS error.
Remove the filter from the properties and it works.

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

3.5+

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[geoand]

Use this in you browser console:

In any page, or some specific one?

[ia3andy]

any page

[geoand]

I tried with Chrome and it only worked on localhost:8080 whether the filter was active or nor

[ia3andy]

Ok so sorry, I thought it was any page but no, you need to test it from a page with another domain:

On the screenshot, first request is with the filter, the second without.

Here is a better command for the test:

fetch("http://localhost:8080/api/hello").then(r => r.text()).then(console.log)

I've updated the instruction to reproduce..

[ia3andy]

cc @sberyozkin

[ia3andy]

@geoand did you reproduce?

[ia3andy]

this is a nasty bug

[geoand]

Yeah, I'll have a fix soon