The CORS filter not allowing request and returning 403 when the request is as follows. Request Headers POST http://kodiakptt.com/poc/ HTTP/1.1 Accept: application/json, text/plain, */* Origin: file:// User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Content-Type: application/json;charset=UT We have a app which accesses the resource from tomcat web server, if UI is part of the app and using hosted JSCDE/mobile API js file, the webview send the request with Origin: file:// which tomcat rejects with 403 Forbidden.
No configuration has been provided for the CORS filter so the working assumption is going to be that this is a configuarion error. Please use the users@tomcat.apache.org mailing list to debug this further. If that discussion concludes that there is a valid bug here then this issue can be re-opened and the necessary details required to reproduce the issue added.
Below is the cors filter configuration in tomcat web.xml file <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> </init-param> <!--<init-param> <param-name>cors.allow.nullorigin</param-name> <param-value>true</param-value> </init-param>--> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> </init-param> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent</param-value> </init-param> <init-param> <param-name>cors.exposed.headers</param-name> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> </init-param> <init-param> <param-name>cors.support.credentials</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.preflight.maxage</param-name> <param-value>10</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
OK. I see the problem. "file://" is not a valid URI so Tomcat was rejecting it. However the spec for origin is that if the scheme is file the rest could be anything. I've modified the filter to allow any URI (valid or not) with a scheme of file. This has been fixed in the following branches: - 9.0.x for 9.0.0.M10 onwards - 8.5.x for 8.5.5 onwards - 8.0.x for 8.0.37 onwards - 7.0.x for 7.0.71 onwards