Regarding Tomcat filter, not sure, I most of the time end up doing my own filter too. Maybe, forward the email to tomcat mailing list too.
Yes, if you use * it defeats the purpose of the CORS protection. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Wed, Apr 10, 2019 at 9:09 AM Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk.invalid> wrote: > i cannot seem to get the CORS filter in Tomcat working > http://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter > > i ended up creating a custom filter like the accepted answer in > https://stackoverflow.com/questions/38354664/enable-cors-on-tomcat-8-0-30 > > also, every tutorial seems to set cors.allowed.origins to *. doesn't > this defeat the whole purpose of CORS? it should be set to list just > the origins that are allowed to access the resource? otherwise your > customers can get phished? >
