Hi all. Some of us at eBay noticed that Tomcat currently does not implement CORS ( http://www.w3.org/TR/cors/ ), but that some other modern web servers and servlet containers do. We were wondering whether you're interested in including our implementation of the spec, written by Mohit Soni < mohitsoni1...@gmail.com>. eBay recently open-sourced this implementation of server-side CORS (under Apache License, version 2). The implementation is a Java Servlet Filter that implements W3C's CORS specification:
https://github.com/ebay/cors-filter Here are few reasons why we believe this implementation is a good fit: * Implements all required sections of the spec for servers. Handles simple/actual and pre-flight requests as per the specification. * Written specifically to fit well with Tomcat's source, and is formatted the same as Tomcat's source. * Filter implementation is just one class and is well Javadoc'd ( https://github.com/eBay/cors-filter/blob/master/src/main/java/org/ebaysf/web/cors/CORSFilter.java). * Includes ample unit tests to validate the implementation against the spec ( https://github.com/eBay/cors-filter/blob/master/src/test/java/org/ebaysf/web/cors/CORSFilterTest.java). * Simple to configure minimally and use ( https://github.com/eBay/cors-filter/blob/master/README.md#quick-start ) * Easy to override default configuration, if required ( https://github.com/eBay/cors-filter/blob/master/README.md#configuring-cors-filter) * Documentation is written to fit well with Tomcat's documentation ( https://github.com/eBay/cors-filter/blob/master/README.md ). * Uses Apache License, version 2.0 * Protects against CRLF injection / response splitting attacks. Also, here's a sample application using this filter: http://corsdemo.appspot.com We would like to contribute this implementation to Apache Software Foundation, to be included in Tomcat, and Mohit also would like to maintain and develop it, going forward. It's true that as a Servlet Filter, any webapp developer may add it to their app whether Tomcat includes it or not, but we believe that this is fundamental server behavior that should be present and easy to enable in the server, as it is in some other servers. Thoughts? -- Jason
