https://bz.apache.org/bugzilla/show_bug.cgi?id=66304
Bug ID: 66304 Summary: CORS returns double Allow-Origin header Product: Tomcat 10 Version: 10.0.23 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: glenn_...@hotmail.com Target Milestone: ------ Basic Setup: I have a docker container running PlantUML server (Tomcat) version on the following address: http://192.168.1.10 (Link: https://github.com/plantuml/plantuml-server) I have a website that makes a post request to the server. With some content in the body: URL: http://192.168.1.10/png BODY: Bob -> Alice : hello2 Steve -> Jonah Sven -> Miriam Hans -> Grietje This should return an image (works using Postman). However, when performing this post request in the browser using Javascript, the browser blocks the response with a Cors error: Multiple Cors headers are not allowed. When looking at the response it indeed has 2 Cors headers: - Access-Control-Allow-Origin: * - Access-Control-Allow-Origin: http://192.168.1.10 In web.xml I only have the server configured: <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>http://192.168.1.10</param-value> </init-param> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST</param-value> </init-param> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Content-Type,Authorization,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Content-Length,Connection</param-value> </init-param> <init-param> <param-name>cors.exposed.headers</param-name> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> </init-param> <init-param> <param-name>cors.support.credentials</param-name> <param-value>false</param-value> </init-param> </filter> When I change the URL to * I still get two headers, both containing a *: - Access-Control-Allow-Origin: * - Access-Control-Allow-Origin: * With the same error message as a result. It seems that when a valid Cors request is received the server always adds the *-header by default instead of only the matched url. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org