In CorsFilter of trunk starting with line 1030: [[[ /** * {@link Collection} of Simple HTTP request headers. Case in-sensitive. * * @see <a href="http://www.w3.org/TR/cors/#terminology" * >http://www.w3.org/TR/cors/#terminology</a> */ public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES = new HashSet<>(Arrays.asList("application/x-www-form-urlencoded", "multipart/form-data", "text/plain")); ]]] starting with line 641: [[[ } else if ("POST".equals(method)) { String contentType = request.getContentType(); if (contentType != null) { contentType = contentType.toLowerCase().trim(); if (SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES .contains(contentType)) { requestType = CORSRequestType.SIMPLE; } else { requestType = CORSRequestType.ACTUAL; } } } else { ]]] According to w3.org "Terminology" link above, 1) Javadoc for SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES is a bit off (copy-pasted from another field). It is actually a collection of mime-type values for Content-Type header so that this header is treated as a "simple header" 2) The check using SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES shall ignore any parameters that may be present in Content-Type header value. E.g. "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" shall match successfully.
This has the potential to get expensive performance-wise. Parsing mime-types from a content-type header is non-trivial but we do have o.a.tomcat.util.http.parser.MediaType and MediaTypeCache
Parsing is needed when you need the value of a parameter (e.g. charset). In this case just trimming at the first ';' is OK.
You are right. When I first looked at this I started to look at how the request content-type header was parsed and that has some issues that would need o.a.tomcat.util.http.parser.MediaType to solve but that isn't required for this specific usage.
Fixed in trunk, 8.0.x (for 8.0.19 onwards( and 7.0.x (for 7.0.60 onwards)