Bug 57724 - CorsFilter does not work correctly if the "origin" has the same value with the "host"
CorsFilter does not work correctly if the "origin" has the same value with th...
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
7.0.57
PC All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2015-03-18 14:53 UTC by Jack Zhang
Modified: 2015-03-18 21:52 UTC (History)
0 users



Attachments
20150318075625.jpg (130.96 KB, image/jpeg)
2015-03-18 14:57 UTC, Jack Zhang
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jack Zhang 2015-03-18 14:53:38 UTC
I am using tomcat 7.0.57, and I have CorsFilter configured in my application, in my login page, I just have normal form with the username & password filter and a submit button, I set the "method" to "POST', when I use Google Chrome to login, I get a 403 error.

The reason is Google Chrome adds the "origin" into the http header, and the value is same as the host value(both of them are "http://localhost:8000").

It will be nice if someone can update CorsFilter.checkRequestType to return a CORSRequestType.NOT_CORS in this case.
Comment 1 Jack Zhang 2015-03-18 14:57:07 UTC
Created attachment 32585 [details]
20150318075625.jpg
Comment 2 Mark Thomas 2015-03-18 15:35:09 UTC
If the client sends the origin header then the server has to treat it as a CORS request. I don't see any scope in the CORS spec for the behaviour you are requesting.

I do wonder why Chrome is adding the origin header but that is a question for Chrome.
Comment 3 Jack Zhang 2015-03-18 15:47:44 UTC
Hi Mark,

Thanks for the quick reply.

I do not know why Chrome team wants to handle this case differently from the other browser. But based on the IETF specification(http://tools.ietf.org/html/rfc6454#section-7.3), the user agent can include the "origin" in any of the HTTP request. So it is definitely unfair to check only the existence of this element.

Thanks,
Jack
Comment 4 Mark Thomas 2015-03-18 20:52:05 UTC
Fair enough. We'll have to check the host header (or equivalent) and compare it to the origin. I'm working on a patch and should have something soon.
Comment 5 Mark Thomas 2015-03-18 21:18:13 UTC
Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.
Comment 6 Jack Zhang 2015-03-18 21:52:52 UTC
(In reply to Mark Thomas from comment #5)
> Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.

Great, thanks.