You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/10/11 21:07:58 UTC
[Bug 66304] New: CORS returns double Allow-Origin header
https://bz.apache.org/bugzilla/show_bug.cgi?id=66304
Bug ID: 66304
Summary: CORS returns double Allow-Origin header
Product: Tomcat 10
Version: 10.0.23
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: glenn_v_a@hotmail.com
Target Milestone: ------
Basic Setup:
I have a docker container running PlantUML server (Tomcat) version on the
following address: http://192.168.1.10
(Link: https://github.com/plantuml/plantuml-server)
I have a website that makes a post request to the server. With some content in
the body:
URL: http://192.168.1.10/png
BODY:
Bob -> Alice : hello2
Steve -> Jonah
Sven -> Miriam
Hans -> Grietje
This should return an image (works using Postman).
However, when performing this post request in the browser using Javascript, the
browser blocks the response with a Cors error: Multiple Cors headers are not
allowed.
When looking at the response it indeed has 2 Cors headers:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Origin: http://192.168.1.10
In web.xml I only have the server configured:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://192.168.1.10</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,Authorization,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Content-Length,Connection</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>false</param-value>
</init-param>
</filter>
When I change the URL to * I still get two headers, both containing a *:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Origin: *
With the same error message as a result.
It seems that when a valid Cors request is received the server always adds the
*-header by default instead of only the matched url.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66304] CORS returns double Allow-Origin header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66304
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
Wow, that's a pretty bad security problem in PlantUML IMHO.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66304] CORS returns double Allow-Origin header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66304
--- Comment #1 from glenn_v_a@hotmail.com ---
EDIT:
When I change the URL in the wev.xml file to * I still get two headers, both
containing a *
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66304] CORS returns double Allow-Origin header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66304
Han Li <li...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #2 from Han Li <li...@apache.org> ---
> When looking at the response it indeed has 2 Cors headers:
> - Access-Control-Allow-Origin: * <- It's provided by the plantuml-server
> - Access-Control-Allow-Origin: http://192.168.1.10 <- As you define it
The following may be the cause of your problem.
https://github.com/plantuml/plantuml-server/blob/b8cb1e2ff0a3b2c39c7fa34d5493b66e19e6ed01/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java#L205
https://github.com/plantuml/plantuml-server/blob/b8cb1e2ff0a3b2c39c7fa34d5493b66e19e6ed01/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java#L122
So it's not a tomcat bug.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66304] CORS returns double Allow-Origin header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66304
--- Comment #4 from glenn_v_a@hotmail.com ---
(In reply to Christopher Schultz from comment #3)
> Wow, that's a pretty bad security problem in PlantUML IMHO.
I agree. I already made a bug report in the PlantUML Server GitHub repo.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org