Istio CorsPolicy is not returning the access-control-allow-* response headers as expected

Question

I have installed Istio and configured the ingress gateway with CorsPolicy. For the preflight/options request, the access-control-allow response headers are returned only when the origin header matches. Otherwise Istio returns wrong response headers.

For the actual request, Istio returns the access-control-allow-origin header as the same value as the origin header which was passed in the request.

Is this the expected behavior? How to prevent call from origins which are not accepted?

Similar issue here: https://github.com/istio/istio/issues/9783

Istio version: 1.17.2 and 1.20.3

I have installed standard Istio ingress gateway using istioctl

istioctl install --set profile=demo -y

I have configured istio using the following config

Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-ext-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - httpbin.org

VirtualService

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin-ext-vs
spec:
  hosts:
  - httpbin.org
  gateways:
  - httpbin-ext-gateway
  http:
  - match:
    - gateways:
      - httpbin-ext-gateway
      port: 80
      uri:
        prefix: /status
    route:
    - destination:
        host: httpbin.org
        port:
          number: 80
    corsPolicy:
      allowOrigins:
      - exact: https://example.com
      allowMethods:
      - POST
      - GET
      allowCredentials: false
      allowHeaders:
      - X-Foo-Bar
      maxAge: "1m"

Now the following curl commands shows the issue

Options - Origin match: curl -i -X OPTIONS -H "Host: httpbin.org" -H "Origin: https://example.com" -H "Access-Control-Request-Method: GET" http://10.100.41.221/status/418

HTTP/1.1 200 OK
access-control-allow-origin: https://example.com
access-control-allow-methods: POST,GET
access-control-allow-headers: X-Foo-Bar
access-control-max-age: 60
date: Tue, 20 Feb 2024 09:36:24 GMT
server: istio-envoy
content-length: 0

Options - Origin DOES NOT match: curl -i -X OPTIONS -H "Host: httpbin.org" -H "Origin: https://example1.com" -H "Access-Control-Request-Method: GET" http://10.100.41.221/status/418

HTTP/1.1 200 OK
date: Tue, 20 Feb 2024 09:36:57 GMT
content-type: text/html; charset=utf-8
content-length: 0
server: istio-envoy
allow: OPTIONS, POST, PUT, HEAD, PATCH, DELETE, GET, TRACE
access-control-allow-origin: https://example1.com
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
access-control-max-age: 3600
x-envoy-upstream-service-time: 433

Actual request - Origin match: curl -i -H "Host: httpbin.org" -H "Origin: https://example.com" http://10.100.41.221/status/418

HTTP/1.1 418 Unknown
date: Tue, 20 Feb 2024 09:49:43 GMT
content-length: 135
server: istio-envoy
x-more-info: http://tools.ietf.org/html/rfc2324
access-control-allow-origin: https://example.com
access-control-allow-credentials: true
x-envoy-upstream-service-time: 598

Actual request - Origin DOES NOT match: curl -i -H "Host: httpbin.org" -H "Origin: https://example1.com" http://10.100.41.221/status/418

HTTP/1.1 418 Unknown
date: Tue, 20 Feb 2024 09:50:08 GMT
content-length: 135
server: istio-envoy
x-more-info: http://tools.ietf.org/html/rfc2324
access-control-allow-origin: https://example1.com
access-control-allow-credentials: true
x-envoy-upstream-service-time: 439