Bug 62676 - Documentation of CORS Filter is now misleading
Summary: Documentation of CORS Filter is now misleading
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 8.5.x-trunk
Hardware: PC All
: P2 minor (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-05 08:17 UTC by Mark Nolan
Modified: 2018-09-12 21:04 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Nolan 2018-09-05 08:17:53 UTC
This is partially a re-report of 62455, but with a more current version reported.

The documentation says that the minimal configuration of the CORS Filter is:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

This was true when the default for cors.allowed.origins was * (e.g. https://web.archive.org/web/20180213064017/https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter), but in the .53 release, it was changed to empty string per bug 62343.

The documentation should be updated with either a comment that the minimal configuration doesn't allow any access (so, what's the point?) or with the equivalent new configuration:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
Comment 1 Mark Thomas 2018-09-12 21:04:46 UTC
Thanks for the report. I've added some additional wording to the docs.

Fixed in:
- trunk for 9.0.13 onwards
- 8.5.x for 8.5.35 onwards
- 7.0.x for 7.0.91 onwards