You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomee.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk.INVALID> on 2019/04/10 07:09:28 UTC

cors filter

i cannot seem to get the CORS filter in Tomcat working
http://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter

i ended up creating a custom filter like the accepted answer in 
https://stackoverflow.com/questions/38354664/enable-cors-on-tomcat-8-0-30

also, every tutorial seems to set cors.allowed.origins to *. doesn't 
this defeat the whole purpose of CORS?  it should be set to list just 
the origins that are allowed to access the resource? otherwise your 
customers can get phished?

Re: cors filter

Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.

Regarding Tomcat filter, not sure, I most of the time end up doing my own
filter too.
Maybe, forward the email to tomcat mailing list too.

Yes, if you use * it defeats the purpose of the CORS protection.

--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com

On Wed, Apr 10, 2019 at 9:09 AM Matthew Broadhead
<ma...@nbmlaw.co.uk.invalid> wrote:

> i cannot seem to get the CORS filter in Tomcat working
> http://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter
>
> i ended up creating a custom filter like the accepted answer in
> https://stackoverflow.com/questions/38354664/enable-cors-on-tomcat-8-0-30
>
> also, every tutorial seems to set cors.allowed.origins to *. doesn't
> this defeat the whole purpose of CORS?  it should be set to list just
> the origins that are allowed to access the resource? otherwise your
> customers can get phished?
>