You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/03/18 15:53:38 UTC
[Bug 57724] New: CorsFilter does not work correctly if the "origin"
has the same value with the "host"
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
Bug ID: 57724
Summary: CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Product: Tomcat 7
Version: 7.0.57
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: wenjiezhang2013@gmail.com
I am using tomcat 7.0.57, and I have CorsFilter configured in my application,
in my login page, I just have normal form with the username & password filter
and a submit button, I set the "method" to "POST', when I use Google Chrome to
login, I get a 403 error.
The reason is Google Chrome adds the "origin" into the http header, and the
value is same as the host value(both of them are "http://localhost:8000").
It will be nice if someone can update CorsFilter.checkRequestType to return a
CORSRequestType.NOT_CORS in this case.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57724] CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
--- Comment #6 from Jack Zhang <we...@gmail.com> ---
(In reply to Mark Thomas from comment #5)
> Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.
Great, thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57724] CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
--- Comment #1 from Jack Zhang <we...@gmail.com> ---
Created attachment 32585
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32585&action=edit
20150318075625.jpg
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57724] CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Fixed in trunk, 8.0.x for 8.0.21 onwards and 7.0.x for 7.0.60 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57724] CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
If the client sends the origin header then the server has to treat it as a CORS
request. I don't see any scope in the CORS spec for the behaviour you are
requesting.
I do wonder why Chrome is adding the origin header but that is a question for
Chrome.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57724] CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Fair enough. We'll have to check the host header (or equivalent) and compare it
to the origin. I'm working on a patch and should have something soon.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57724] CorsFilter does not work correctly if the "origin" has
the same value with the "host"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
Jack Zhang <we...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED
--- Comment #3 from Jack Zhang <we...@gmail.com> ---
Hi Mark,
Thanks for the quick reply.
I do not know why Chrome team wants to handle this case differently from the
other browser. But based on the IETF
specification(http://tools.ietf.org/html/rfc6454#section-7.3), the user agent
can include the "origin" in any of the HTTP request. So it is definitely unfair
to check only the existence of this element.
Thanks,
Jack
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org