tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose María Zaragoza <demablo...@gmail.com>
Subject Re: CORS issue with Tomcat and Android Webview
Date Tue, 29 Apr 2014 08:48:48 GMT
2014-04-29 0:38 GMT+02:00 Terence M. Bandoian <terence@tmbsw.com>:
> On 4/28/2014 5:32 PM, Terence M. Bandoian wrote:
>>
>> On 4/28/2014 3:08 PM, Jose María Zaragoza wrote:
>>>
>>> 2014-04-28 21:55 GMT+02:00 Terence M. Bandoian <terence@tmbsw.com>:
>>>>
>>>> On 4/26/2014 6:56 AM, Jose María Zaragoza wrote:
>>>>>
>>>>> 2014-04-26 13:16 GMT+02:00 Martin Gainty <mgainty@hotmail.com>:
>>>>>>>
>>>>>>> Date: Sat, 26 Apr 2014 11:43:05 +0530
>>>>>>> Subject: Re: CORS issue with Tomcat and Android Webview
>>>>>>> From: ankisinghal@gmail.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>>
>>>>>>> On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian
>>>>>>> <terence@tmbsw.com>wrote:
>>>>>>>
>>>>>>>> On 4/24/2014 11:16 PM, Ankit Singhal wrote:
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> I did more research on this and figure out the issue.If
you see the
>>>>>>>>> headers
>>>>>>>>> from Android and look into Origin Header.
>>>>>>>>>
>>>>>>>>> Origin: file://
>>>>>>>>>
>>>>>>>>> Tomcat CORS filter tries to validate the URI in Origin
header and
>>>>>>>>> considers
>>>>>>>>> "file://" as an invalid URI and returns back 403.
>>>>>>>>>
>>>>>>>>> I have applied <accept-origin>*</accept-origin>
params. So
>>>>>>>>> shouldn't
>>>>>>>>> CORS
>>>>>>>>> filter honor this ?
>>>>>>>>>
>>>>>>>>> I agree that Client also has the problem , but still
server should
>>>>>>>>> also
>>>>>>>>> allow...
>>>>>>>>>
>>>>> Hi:
>>>>>
>>>>> I'm watching this flowchart
>>>>> https://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png
>>>>>
>>>>> and I wonder if Tomcat 7 checks if the request received belongs to the
>>>>> right type.
>>>>> I mean, if browser sends a simple request ( eg. POST + application/xml
>>>>> content-type header )
>>>>> WC3 spec says that request should be a preflight request  , does
>>>>> Tomcat check this case ?
>>>>>
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>
>>>> Hi, Jose-
>>>>
>>>> I don't see where the W3C spec requires a preflight request for simple
>>>> requests.
>>>>
>>>>
>>>> -Terence Bandoian
>>>
>>>
>>> Sorry, I meant non-simple request.
>>> For example, if I perform a cross-domain POST request (within
>>> application/xml content-type header ),
>>> I guess that a preflight request is required , right ?
>>> What happens, if it's not sent , on Tomcat? Should it check it ?
>>>
>>> Regards
>>
>>
>>
>> Hi, Jose-
>>
>> I don't see in the W3C spec where preflight requests are required at all.
>> Can you point me to where you've found that?
>>
>> -Terence Bandoian
>>
>
>
> I meant to say I don't see where the W3C spec requires preflight requests to
> be sent.

According to

http://www.w3.org/TR/cors/#simple-cross-origin-request
Cross-Origin Request with Preflight
[
Go to the next step if the following conditions are true. *Otherwise,
make a preflight request.*

- For request method there either is a method cache match or it is a
simple method and the force preflight flag is unset.
- For every header of author request headers there either is a header
cache match for the field name or it is a simple header.
/]

So, I understand that if I make a POST request within application/xml
content-type header, it's a simple method but Content-type:
application/xml is not a simple header, according to
http://www.w3.org/TR/cors/#simple-method
I understand that client must to make a preflight request

Maybe I'm wrong


Regards




















>
> -Terence
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message