[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from Mark Thomas --- Fixed in: - master for 9.0.30 onwards - 8.5.x for 8.5.50 onwards - 7.0.x for 7.0.99 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 --- Comment #6 from Mark Thomas --- Drat. The filter chain is populated later in the request processing chain than I thought it was. I'm looking into alternatives for the "If the CORS filter is present" option. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 --- Comment #5 from Michael Osipov --- (In reply to Mark Thomas from comment #4) > Corrected attribute name noted. > > From a Valve we should be able to look into the FilterChain so see if our > CORS valve is present. For other implementations the user would have to set > it manually. If there are a small number of standard CORS filter > implementations with *&might* be able to look for each of them (by fully > qualified class name) but this starts heading in a direction I'm rather > uncomfortable with. Sounds like a good plan. I fully agree with. I would neither peek for third-party filters, an explicit true on that attribute is fine. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 --- Comment #4 from Mark Thomas --- Corrected attribute name noted. >From a Valve we should be able to look into the FilterChain so see if our CORS valve is present. For other implementations the user would have to set it manually. If there are a small number of standard CORS filter implementations with *&might* be able to look for each of them (by fully qualified class name) but this starts heading in a direction I'm rather uncomfortable with. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 --- Comment #3 from Michael Osipov --- (In reply to Mark Thomas from comment #1) > allowCorsPreFlight looks like a reasonable attribute name. > > I'd suggest, if it is possible without too much jumping through hoops, it > defaults to true in the presence of the CORSFilter and false otherwise. How do you want to detect that actually from a valve? What is not our CORS filter is active, but another one, e.g. from Spring MVC, but uses CMS? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 --- Comment #2 from Michael Osipov --- (In reply to Mark Thomas from comment #1) > allowCorsPreFlight looks like a reasonable attribute name. > > I'd suggest, if it is possible without too much jumping through hoops, it > defaults to true in the presence of the CORSFilter and false otherwise. I agree, having allowCorsPreflight (note lowercase F as in the Fetch Standard) to be on by default n and can be disabled for whatsoever reason. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 --- Comment #1 from Mark Thomas --- allowCorsPreFlight looks like a reasonable attribute name. I'd suggest, if it is possible without too much jumping through hoops, it defaults to true in the presence of the CORSFilter and false otherwise. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63937] CORS preflight request not possible on authenticated endpoints
https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 Michael Osipov changed: What|Removed |Added CC||micha...@apache.org -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
