On 4/29/2014 3:48 AM, Jose María Zaragoza wrote:
2014-04-29 0:38 GMT+02:00 Terence M. Bandoian <tere...@tmbsw.com>:
On 4/28/2014 5:32 PM, Terence M. Bandoian wrote:
On 4/28/2014 3:08 PM, Jose María Zaragoza wrote:
2014-04-28 21:55 GMT+02:00 Terence M. Bandoian <tere...@tmbsw.com>:
On 4/26/2014 6:56 AM, Jose María Zaragoza wrote:
2014-04-26 13:16 GMT+02:00 Martin Gainty <mgai...@hotmail.com>:
Date: Sat, 26 Apr 2014 11:43:05 +0530
Subject: Re: CORS issue with Tomcat and Android Webview
From: ankising...@gmail.com
To: users@tomcat.apache.org

On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian
<tere...@tmbsw.com>wrote:

On 4/24/2014 11:16 PM, Ankit Singhal wrote:

Hi

I did more research on this and figure out the issue.If you see the
headers
from Android and look into Origin Header.

Origin: file://

Tomcat CORS filter tries to validate the URI in Origin header and
considers
"file://" as an invalid URI and returns back 403.

I have applied <accept-origin>*</accept-origin> params. So
shouldn't
CORS
filter honor this ?

I agree that Client also has the problem , but still server should
also
allow...

Hi:

I'm watching this flowchart
https://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png

and I wonder if Tomcat 7 checks if the request received belongs to the
right type.
I mean, if browser sends a simple request ( eg. POST + application/xml
content-type header )
WC3 spec says that request should be a preflight request  , does
Tomcat check this case ?



Regards

Hi, Jose-

I don't see where the W3C spec requires a preflight request for simple
requests.


-Terence Bandoian

Sorry, I meant non-simple request.
For example, if I perform a cross-domain POST request (within
application/xml content-type header ),
I guess that a preflight request is required , right ?
What happens, if it's not sent , on Tomcat? Should it check it ?

Regards


Hi, Jose-

I don't see in the W3C spec where preflight requests are required at all.
Can you point me to where you've found that?

-Terence Bandoian


I meant to say I don't see where the W3C spec requires preflight requests to
be sent.
According to

http://www.w3.org/TR/cors/#simple-cross-origin-request
Cross-Origin Request with Preflight
[
Go to the next step if the following conditions are true. *Otherwise,
make a preflight request.*

- For request method there either is a method cache match or it is a
simple method and the force preflight flag is unset.
- For every header of author request headers there either is a header
cache match for the field name or it is a simple header.
/]

So, I understand that if I make a POST request within application/xml
content-type header, it's a simple method but Content-type:
application/xml is not a simple header, according to
http://www.w3.org/TR/cors/#simple-method
I understand that client must to make a preflight request

Maybe I'm wrong


Regards


Hi, Jose,

I see that now but the logic behind it is a little confusing. In particular, the following sentence at the beginning of the section you referenced is not clear to me:

"To protect resources against cross-origin requests that could not originate from certain user agents before this specification existed a preflight request is made to ensure that the resource is aware of this specification."

Are servers required to perform any actions related to preflight requests other than responding appropriately to them?

-Terence Bandoian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to