You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by Martin Scheffler <ma...@gmail.com> on 2015/10/09 09:22:55 UTC

REST endpoint with CORS sends invalid header value for Access-Control-Allow-Origin

Hi all,

I tried enabling CORS for our camel REST endpoint and it does not really
work.
The Access-Control-Allow-Origin header is sent, as it should be.
Unfortunately the value of the header is "*, *" which is not accepted as
correct by newer browser versions.
Firefox 41.0.1 and Chrome 45.0 both reject this header value and do not
allow cross domain access. It seems newer browsers only
accept a single domain name or "*" and not a list of domains.

See http://www.w3.org/TR/cors/#access-control-allow-origin-response-header

So please change the default behavior to send only "*".

I tried setting the header value manually:

<restConfiguration component="servlet" bindingMode="json"
contextPath="MyService/rest" port="8080" enableCORS="true">
      <corsHeaders key="Access-Control-Allow-Origin"
value="localhost"/>
</restConfiguration>

But this results in a header value of "*, localhost" which is also not
accepted.

A workaround is to set <corsHeaders key="Access-Control-Allow-Origin"
value=""/>  which results in a value of "*" for some reason.

Cheers,
Martin

Re: REST endpoint with CORS sends invalid header value for Access-Control-Allow-Origin

Posted by Claus Ibsen <cl...@gmail.com>.

Hi

Thanks for reporting.

You are very welcome to log a JIRA and provide a patch
http://camel.apache.org/support.html

We love contributions
http://camel.apache.org/contributing.html

On Fri, Oct 9, 2015 at 9:22 AM, Martin Scheffler
<ma...@gmail.com> wrote:
> Hi all,
>
> I tried enabling CORS for our camel REST endpoint and it does not really
> work.
> The Access-Control-Allow-Origin header is sent, as it should be.
> Unfortunately the value of the header is "*, *" which is not accepted as
> correct by newer browser versions.
> Firefox 41.0.1 and Chrome 45.0 both reject this header value and do not
> allow cross domain access. It seems newer browsers only
> accept a single domain name or "*" and not a list of domains.
>
> See http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
>
> So please change the default behavior to send only "*".
>
> I tried setting the header value manually:
>
> <restConfiguration component="servlet" bindingMode="json"
> contextPath="MyService/rest" port="8080" enableCORS="true">
>       <corsHeaders key="Access-Control-Allow-Origin"
> value="localhost"/>
> </restConfiguration>
>
> But this results in a header value of "*, localhost" which is also not
> accepted.
>
> A workaround is to set <corsHeaders key="Access-Control-Allow-Origin"
> value=""/>  which results in a value of "*" for some reason.
>
> Cheers,
> Martin



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2nd edition:
https://www.manning.com/books/camel-in-action-second-edition