You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jason Brittain <ja...@gmail.com> on 2013/05/30 23:06:12 UTC
CORS Filter
Hi all.
Some of us at eBay noticed that Tomcat currently does not implement CORS (
http://www.w3.org/TR/cors/ ), but that some other modern web servers and
servlet containers do. We were wondering whether you're interested in
including our implementation of the spec, written by Mohit Soni <
mohitsoni1989@gmail.com>. eBay recently open-sourced this implementation
of server-side CORS (under Apache License, version 2). The implementation
is a Java Servlet Filter that implements W3C's CORS specification:
https://github.com/ebay/cors-filter
Here are few reasons why we believe this implementation is a good fit:
* Implements all required sections of the spec for servers. Handles
simple/actual and pre-flight requests as per the specification.
* Written specifically to fit well with Tomcat's source, and is formatted
the same as Tomcat's source.
* Filter implementation is just one class and is well Javadoc'd (
https://github.com/eBay/cors-filter/blob/master/src/main/java/org/ebaysf/web/cors/CORSFilter.java).
* Includes ample unit tests to validate the implementation against the spec
(
https://github.com/eBay/cors-filter/blob/master/src/test/java/org/ebaysf/web/cors/CORSFilterTest.java).
* Simple to configure minimally and use (
https://github.com/eBay/cors-filter/blob/master/README.md#quick-start )
* Easy to override default configuration, if required (
https://github.com/eBay/cors-filter/blob/master/README.md#configuring-cors-filter)
* Documentation is written to fit well with Tomcat's documentation (
https://github.com/eBay/cors-filter/blob/master/README.md ).
* Uses Apache License, version 2.0
* Protects against CRLF injection / response splitting attacks.
Also, here's a sample application using this filter:
http://corsdemo.appspot.com
We would like to contribute this implementation to Apache Software
Foundation, to be included in Tomcat, and Mohit also would like to maintain
and develop it, going forward. It's true that as a Servlet Filter, any
webapp developer may add it to their app whether Tomcat includes it or not,
but we believe that this is fundamental server behavior that should be
present and easy to enable in the server, as it is in some other servers.
Thoughts?
--
Jason
Re: CORS Filter
Posted by mohit soni <mo...@gmail.com>.
I have created an enhancement request in Tomcat 8, Bugzilla. Here's the
link: https://issues.apache.org/bugzilla/show_bug.cgi?id=55046
Mohit
On Fri, May 31, 2013 at 3:09 AM, Mark Thomas <ma...@apache.org> wrote:
> On 30/05/2013 22:06, Jason Brittain wrote:
>
> > Thoughts?
>
> Create an enhancement request in Bugzilla.
>
> I note that there was a request for this a few months ago on the users
> list.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: CORS Filter
Posted by Mark Thomas <ma...@apache.org>.
On 30/05/2013 22:06, Jason Brittain wrote:
> Thoughts?
Create an enhancement request in Bugzilla.
I note that there was a request for this a few months ago on the users list.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org