I am using tomcat 7.0.57, and I have CorsFilter configured in my application, in my login page, I just have normal form with the username & password filter and a submit button, I set the "method" to "POST', when I use Google Chrome to login, I get a 403 error. The reason is Google Chrome adds the "origin" into the http header, and the value is same as the host value(both of them are "http://localhost:8000"). It will be nice if someone can update CorsFilter.checkRequestType to return a CORSRequestType.NOT_CORS in this case.
Created attachment 32585 [details] 20150318075625.jpg
If the client sends the origin header then the server has to treat it as a CORS request. I don't see any scope in the CORS spec for the behaviour you are requesting. I do wonder why Chrome is adding the origin header but that is a question for Chrome.
Hi Mark, Thanks for the quick reply. I do not know why Chrome team wants to handle this case differently from the other browser. But based on the IETF specification(http://tools.ietf.org/html/rfc6454#section-7.3), the user agent can include the "origin" in any of the HTTP request. So it is definitely unfair to check only the existence of this element. Thanks, Jack
Fair enough. We'll have to check the host header (or equivalent) and compare it to the origin. I'm working on a patch and should have something soon.
Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.
(In reply to Mark Thomas from comment #5) > Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards. Great, thanks.