tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Brittain <>
Subject CORS Filter
Date Thu, 30 May 2013 21:06:12 GMT
Hi all.

Some of us at eBay noticed that Tomcat currently does not implement CORS ( ), but that some other modern web servers and
servlet containers do.  We were wondering whether you're interested in
including our implementation of the spec, written by Mohit Soni <>.  eBay recently open-sourced this implementation
of server-side CORS (under Apache License, version 2). The implementation
is a Java Servlet Filter that implements W3C's CORS specification:

Here are few reasons why we believe this implementation is a good fit:
* Implements all required sections of the spec for servers. Handles
simple/actual and pre-flight requests as per the specification.
* Written specifically to fit well with Tomcat's source, and is formatted
the same as Tomcat's source.
* Filter implementation is just one class and is well Javadoc'd (
* Includes ample unit tests to validate the implementation against the spec
* Simple to configure minimally and use ( )
* Easy to override default configuration, if required (
* Documentation is written to fit well with Tomcat's documentation ( ).
* Uses Apache License, version 2.0
* Protects against CRLF injection / response splitting attacks.

Also, here's a sample application using this filter:

We would like to contribute this implementation to Apache Software
Foundation, to be included in Tomcat, and Mohit also would like to maintain
and develop it, going forward.  It's true that as a Servlet Filter, any
webapp developer may add it to their app whether Tomcat includes it or not,
but we believe that this is fundamental server behavior that should be
present and easy to enable in the server, as it is in some other servers.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message