Org.eclipse.smarthome.cors:enable=true not working as expected (I think)

I’m running the latest docker snapshot 2.4.0-snapshot-amd64-debian (Build #1392), and trying to use the REST API from a web application.

I’m getting a Cross-Origin Request Blocked error, and so have enabled the option org.eclipse.smarthome.cors:enable=true in my runtime.cfg as suggested. After doing this and restarting, I can now see this in the logs:

2018-10-21 09:34:37.561 [INFO ] [] - enabled CORS for REST API.

So I think I have set it correctly, however I’m still having the issue in my web app.

Looking at the output in curl, I see there is no Access-Control-Allow-Origin header (as I would expect, but maybe wrong here), for example:

$ curl http://openhab.sf:8080/rest/items/myswitch -v
*   Trying
* Connected to openhab.sf ( port 8080 (#0)
> GET /rest/items/myswitch HTTP/1.1
> Host: openhab.sf:8080
> User-Agent: curl/7.54.0
> Accept: */*
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 216
< Server: Jetty(9.4.11.v20180605)
* Connection #0 to host openhab.sf left intact
{"link":"http://openhab.sf:8080/rest/items/myswitch","state":"ON","editable":false,"type":"Switch","name":"myswitch","label":"Pool Pump","category":"switch","tags":[],"groupNames":["sonoff","gDBPersist"]}

So I tried looking in the source for the implementation (at and but couldn’t anything even referencing cors, so clearly looking in the wrong spot (or GitHub search is not working, which is possible).

So am I missing something obvious, or is there a bigger issue at play here?

Thanks in advance!

The latest snapshot includes a not fully implemented, or at least an implementation with some problems authentication. Perhaps that is related.

I have the same problem, cors is not working for me.
The source file in question is this: