Bug 57724

Summary: CorsFilter does not work correctly if the "origin" has the same value with the "host"
Product: Tomcat 7 Reporter: Jack Zhang <wenjiezhang2013>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 7.0.57   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: 20150318075625.jpg

Description Jack Zhang 2015-03-18 14:53:38 UTC
I am using tomcat 7.0.57, and I have CorsFilter configured in my application, in my login page, I just have normal form with the username & password filter and a submit button, I set the "method" to "POST', when I use Google Chrome to login, I get a 403 error.

The reason is Google Chrome adds the "origin" into the http header, and the value is same as the host value(both of them are "http://localhost:8000").

It will be nice if someone can update CorsFilter.checkRequestType to return a CORSRequestType.NOT_CORS in this case.
Comment 1 Jack Zhang 2015-03-18 14:57:07 UTC
Created attachment 32585 [details]
20150318075625.jpg
Comment 2 Mark Thomas 2015-03-18 15:35:09 UTC
If the client sends the origin header then the server has to treat it as a CORS request. I don't see any scope in the CORS spec for the behaviour you are requesting.

I do wonder why Chrome is adding the origin header but that is a question for Chrome.
Comment 3 Jack Zhang 2015-03-18 15:47:44 UTC
Hi Mark,

Thanks for the quick reply.

I do not know why Chrome team wants to handle this case differently from the other browser. But based on the IETF specification(http://tools.ietf.org/html/rfc6454#section-7.3), the user agent can include the "origin" in any of the HTTP request. So it is definitely unfair to check only the existence of this element.

Thanks,
Jack
Comment 4 Mark Thomas 2015-03-18 20:52:05 UTC
Fair enough. We'll have to check the host header (or equivalent) and compare it to the origin. I'm working on a patch and should have something soon.
Comment 5 Mark Thomas 2015-03-18 21:18:13 UTC
Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.
Comment 6 Jack Zhang 2015-03-18 21:52:52 UTC
(In reply to Mark Thomas from comment #5)
> Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.

Great, thanks.