On 10/03/2014 14:30, Richard Hart wrote: > (Tomcat 7.0.50, Linux) > > Having recently enabled CORS support for our Tomcat-based web app > using the provided CorsFilter, we have discovered a problem where some > same-origin (i.e. non-CORS) requests from certain browsers (e.g. > Chrome) are denied. This is due to the browser setting the Origin > header even though the request is non-CORS. it turns out that this is > in fact legal according to RFC 6454. > > Given the popularity of Tomcat and Chrome I was surprised to find > little mention of this problem online. Has anyone else encountered > this problem? > > Our planned solution is to fork CorsFilter and and modify it to allow > requests for which the Origin and Host headers both resolve to the > same IP address. However, if somebody has already implemented a > solution for this problem could you please let us know.
If the Origin and Host headers don't match (even if they do resolve to the same IP address) isn't that a cross-origin request? In which case isn't the filter doing what it is meant to? Why isn't setting the cors.allowed.origins init parameter sufficient? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
