Bug 60008

Summary: Tomcat CORS filter not allowing origin with file:// when resource access done from WebView
Product: Tomcat 8 Reporter: Chandrashekar H S <schandra>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.0.30   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description Chandrashekar H S 2016-08-16 04:27:57 UTC
The CORS filter not allowing request and returning 403 when the request is as follows.

Request Headers
POST http://kodiakptt.com/poc/ HTTP/1.1
Accept: application/json, text/plain, */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Content-Type: application/json;charset=UT

We have a app which accesses the resource from tomcat web server, if UI is part of the app and using hosted JSCDE/mobile API js file, the webview send the request with Origin: file:// which tomcat rejects with 403 Forbidden.
Comment 1 Mark Thomas 2016-08-16 04:45:40 UTC
No configuration has been provided for the CORS filter so the working assumption is going to be that this is a configuarion error.

Please use the users@tomcat.apache.org mailing list to debug this further. If that discussion concludes that there is a valid bug here then this issue can be re-opened and the necessary details required to reproduce the issue added.
Comment 2 Chandrashekar H S 2016-08-16 04:53:36 UTC
Below is the cors filter configuration in tomcat web.xml file 
<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
    <!--<init-param>
      <param-name>cors.allow.nullorigin</param-name>
      <param-value>true</param-value>       
   </init-param>-->
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
Comment 3 Mark Thomas 2016-08-23 11:03:37 UTC
OK. I see the problem. "file://" is not a valid URI so Tomcat was rejecting it. However the spec for origin is that if the scheme is file the rest could be anything. I've modified the filter to allow any URI (valid or not) with a scheme of file.

This has been fixed in the following branches:
- 9.0.x for 9.0.0.M10 onwards
- 8.5.x for 8.5.5 onwards
- 8.0.x for 8.0.37 onwards
- 7.0.x for 7.0.71 onwards