When serving static assets via jettys DefaultServlet I only want CORS headers set on successful (2xx) responses. CORS headers must not be set on error responses as the 404 page is rendered by a framework servlet and would include sensitive application content (cookies, CSRF token).

Current approach:

• Jetty 12 EE10
• A servlet filter for adding CORS headers mapped to DefaultServlet for REQUEST|FORWARD dispatches
• A web.xml for 404 routing to a framework servlet

I tried to solve this issue by using a HttpServletResponseWrapper and setting headers when getOutputStream is called but jetty does not call getOutputStream on empty files. Additionally I looked into registering the filter on the framework servlet for ERROR dispatches, removing the header if the original request URI (jakarta.servlet.error.request_uri) was a static asset path but other kinds of errors will not forward to the framework servlet.

As these approaches seem brittle, what would be the most idiomatic and resilient approach to realize this behavior?

Thanks!