Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 86846FF8B for ; Thu, 30 May 2013 21:06:39 +0000 (UTC) Received: (qmail 30853 invoked by uid 500); 30 May 2013 21:06:38 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 30780 invoked by uid 500); 30 May 2013 21:06:38 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 30767 invoked by uid 99); 30 May 2013 21:06:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 May 2013 21:06:38 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jason.brittain@gmail.com designates 209.85.217.174 as permitted sender) Received: from [209.85.217.174] (HELO mail-lb0-f174.google.com) (209.85.217.174) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 May 2013 21:06:33 +0000 Received: by mail-lb0-f174.google.com with SMTP id u10so1036072lbi.19 for ; Thu, 30 May 2013 14:06:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=J0RQV9Bx1mFnNL2Qz5LD7P5Z642mL9HlrkZT1o6oUyo=; b=h9g2mZZM4LjAAAPqYK24EHqn04BpgPEX4guo25Sfs/jz/zlCWCeMQzwY0ROzQiqwBX A/R9Y9EB6QfC+BYLjUeIIKZFxfGO5R+LpwztaqUIh3BfjQ3OnV5QKVY72XAKzTgBYNmJ CfmtkoXDFMl4mz5XmX2Lm7RzIHy+JiQAwo0Oz/20L1R/ShdkGo5zwHqIxe9O7IzIL6ir bj5ebSbSK/9M/bSVkq1LXN/OlpZ+xaYB2JtLgHyjTyb0Y5WMBMkh0V7G5SdlXkgUXpJd U0ewKl7mBgTFp+3zdzA2uBDJmrhYt+tH1Ce+xalyeLCkdTBg4E8rc5J05pDPQSZEu+vp Pwzw== MIME-Version: 1.0 X-Received: by 10.152.21.99 with SMTP id u3mr4469562lae.27.1369947972552; Thu, 30 May 2013 14:06:12 -0700 (PDT) Received: by 10.112.61.34 with HTTP; Thu, 30 May 2013 14:06:12 -0700 (PDT) Date: Thu, 30 May 2013 14:06:12 -0700 Message-ID: Subject: CORS Filter From: Jason Brittain To: Tomcat Developers List Content-Type: multipart/alternative; boundary=089e0149397a43ce8204ddf5de96 X-Virus-Checked: Checked by ClamAV on apache.org --089e0149397a43ce8204ddf5de96 Content-Type: text/plain; charset=ISO-8859-1 Hi all. Some of us at eBay noticed that Tomcat currently does not implement CORS ( http://www.w3.org/TR/cors/ ), but that some other modern web servers and servlet containers do. We were wondering whether you're interested in including our implementation of the spec, written by Mohit Soni < mohitsoni1989@gmail.com>. eBay recently open-sourced this implementation of server-side CORS (under Apache License, version 2). The implementation is a Java Servlet Filter that implements W3C's CORS specification: https://github.com/ebay/cors-filter Here are few reasons why we believe this implementation is a good fit: * Implements all required sections of the spec for servers. Handles simple/actual and pre-flight requests as per the specification. * Written specifically to fit well with Tomcat's source, and is formatted the same as Tomcat's source. * Filter implementation is just one class and is well Javadoc'd ( https://github.com/eBay/cors-filter/blob/master/src/main/java/org/ebaysf/web/cors/CORSFilter.java). * Includes ample unit tests to validate the implementation against the spec ( https://github.com/eBay/cors-filter/blob/master/src/test/java/org/ebaysf/web/cors/CORSFilterTest.java). * Simple to configure minimally and use ( https://github.com/eBay/cors-filter/blob/master/README.md#quick-start ) * Easy to override default configuration, if required ( https://github.com/eBay/cors-filter/blob/master/README.md#configuring-cors-filter) * Documentation is written to fit well with Tomcat's documentation ( https://github.com/eBay/cors-filter/blob/master/README.md ). * Uses Apache License, version 2.0 * Protects against CRLF injection / response splitting attacks. Also, here's a sample application using this filter: http://corsdemo.appspot.com We would like to contribute this implementation to Apache Software Foundation, to be included in Tomcat, and Mohit also would like to maintain and develop it, going forward. It's true that as a Servlet Filter, any webapp developer may add it to their app whether Tomcat includes it or not, but we believe that this is fundamental server behavior that should be present and easy to enable in the server, as it is in some other servers. Thoughts? -- Jason --089e0149397a43ce8204ddf5de96--