Bug 60008 - Tomcat CORS filter not allowing origin with file:// when resource access done from WebView
Summary: Tomcat CORS filter not allowing origin with file:// when resource access done...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.30
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-16 04:27 UTC by Chandrashekar H S
Modified: 2016-08-23 11:03 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chandrashekar H S 2016-08-16 04:27:57 UTC
The CORS filter not allowing request and returning 403 when the request is as follows.

Request Headers
POST http://kodiakptt.com/poc/ HTTP/1.1
Accept: application/json, text/plain, */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Content-Type: application/json;charset=UT

We have a app which accesses the resource from tomcat web server, if UI is part of the app and using hosted JSCDE/mobile API js file, the webview send the request with Origin: file:// which tomcat rejects with 403 Forbidden.
Comment 1 Mark Thomas 2016-08-16 04:45:40 UTC
No configuration has been provided for the CORS filter so the working assumption is going to be that this is a configuarion error.

Please use the users@tomcat.apache.org mailing list to debug this further. If that discussion concludes that there is a valid bug here then this issue can be re-opened and the necessary details required to reproduce the issue added.
Comment 2 Chandrashekar H S 2016-08-16 04:53:36 UTC
Below is the cors filter configuration in tomcat web.xml file 
<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
    <!--<init-param>
      <param-name>cors.allow.nullorigin</param-name>
      <param-value>true</param-value>       
   </init-param>-->
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
Comment 3 Mark Thomas 2016-08-23 11:03:37 UTC
OK. I see the problem. "file://" is not a valid URI so Tomcat was rejecting it. However the spec for origin is that if the scheme is file the rest could be anything. I've modified the filter to allow any URI (valid or not) with a scheme of file.

This has been fixed in the following branches:
- 9.0.x for 9.0.0.M10 onwards
- 8.5.x for 8.5.5 onwards
- 8.0.x for 8.0.37 onwards
- 7.0.x for 7.0.71 onwards