[Bug 66304] New: CORS returns double Allow-Origin header

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=66304

            Bug ID: 66304
           Summary: CORS returns double Allow-Origin header
           Product: Tomcat 10
           Version: 10.0.23
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: glenn_...@hotmail.com
  Target Milestone: ------

Basic Setup:

I have a docker container running PlantUML server (Tomcat) version on the
following address: http://192.168.1.10
(Link: https://github.com/plantuml/plantuml-server)

I have a website that makes a post request to the server. With some content in
the body:
URL: http://192.168.1.10/png
BODY:
 Bob -> Alice : hello2
 Steve -> Jonah
 Sven -> Miriam
 Hans -> Grietje

This should return an image (works using Postman).

However, when performing this post request in the browser using Javascript, the
browser blocks the response with a Cors error: Multiple Cors headers are not
allowed.

When looking at the response it indeed has 2 Cors headers:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Origin: http://192.168.1.10

In web.xml I only have the server configured:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://192.168.1.10</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
       
<param-value>Content-Type,Authorization,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Content-Length,Connection</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
       
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
    <init-param>
        <param-name>cors.support.credentials</param-name>
        <param-value>false</param-value>
    </init-param>
</filter>

When I change the URL to * I still get two headers, both containing a *:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Origin: *

With the same error message as a result.

It seems that when a valid Cors request is received the server always adds the
*-header by default instead of only the matched url.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org