|Summary:||CorsFilter does not work correctly if the "origin" has the same value with the "host"|
|Product:||Tomcat 7||Reporter:||Jack Zhang <wenjiezhang2013>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Jack Zhang 2015-03-18 14:53:38 UTC
I am using tomcat 7.0.57, and I have CorsFilter configured in my application, in my login page, I just have normal form with the username & password filter and a submit button, I set the "method" to "POST', when I use Google Chrome to login, I get a 403 error. The reason is Google Chrome adds the "origin" into the http header, and the value is same as the host value(both of them are "http://localhost:8000"). It will be nice if someone can update CorsFilter.checkRequestType to return a CORSRequestType.NOT_CORS in this case.
Comment 2 Mark Thomas 2015-03-18 15:35:09 UTC
If the client sends the origin header then the server has to treat it as a CORS request. I don't see any scope in the CORS spec for the behaviour you are requesting. I do wonder why Chrome is adding the origin header but that is a question for Chrome.
Comment 3 Jack Zhang 2015-03-18 15:47:44 UTC
Hi Mark, Thanks for the quick reply. I do not know why Chrome team wants to handle this case differently from the other browser. But based on the IETF specification(http://tools.ietf.org/html/rfc6454#section-7.3), the user agent can include the "origin" in any of the HTTP request. So it is definitely unfair to check only the existence of this element. Thanks, Jack
Comment 4 Mark Thomas 2015-03-18 20:52:05 UTC
Fair enough. We'll have to check the host header (or equivalent) and compare it to the origin. I'm working on a patch and should have something soon.
Comment 5 Mark Thomas 2015-03-18 21:18:13 UTC
Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.