tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Cors-Filter
Date Fri, 26 Feb 2016 07:42:48 GMT
On 25.02.2016 22:59, RICHARD DOUST wrote:
> Hi,
>
> I’m running Tomcat 7.0. Can’t find the version.bat file, so I don’t know more than
that. It’s installed on a Windows computer running Windows Server 2003 DataCenter Edition.
(How’s that for refusing to upgrade?) Anyway, it’s a client’s box. I’m trying to migrate
an application to JavaScript from GWT, but that’s beside the point. The problem is, I’m
unable to send an XMLHttpRequest to this Tomcat instance via https. The site is being served
by the same domain, but via http.
>
> I get:
>
> Failed to load resource: Origin http://www.domain.com is not allowed by Access-Control-Allow-Origin.
          https://www.domain.com/application/api/request
> XMLHttpRequest cannot load https://www.domain.com/application/api/reqeuest. Origin http://www.domain.com
is not allowed by Access-Control-Allow-Origin.
>
> This is an excerpt my web.xml file for the war:
>
>> 	<filter>
>> 		<filter-name>CorsFilter</filter-name>
>> 		<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>> 		<init-param>
>> 			<param-name>cors.allowed.origins</param-name>
>> 			<param-value> http://www.domain.com, http://beta.domain.com:8080, http://localhost:8080</param-value>
>>      	</init-param>
>> 		<init-param>
>> 			<param-name>cors.allowed.methods</param-name>
>> 			<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
>> 		</init-param>
>>   	</filter>
>>
>> 	<filter-mapping>
>>          <filter-name>CorsFilter</filter-name>
>>          <url-pattern>/api/*</url-pattern>
>> 	</filter-mapping>
>
>
> I’d like to debug this, but I don’t know how to go about it. Am I suffering from
a basic misunderstanding? Does cors not allow http to https? Anyway, any help would be appreciated.
>

Honestly, I don't know much about CORS, but I looked at the specs, here :
  http://tools.ietf.org/html/rfc6454 (*)
and it seems to me indeed that in
3.2, Q: Why not just use the host?,
it indeed says that the scheme "http" or "https", is part of the origin.
I interpret this as meaning that if the HTML page was obtained from 
"http://www.domain.com", a call made from within it, to "https://www.domain.com" would not

qualify as "from the same origin".

Further in 3.2.1, it gives some examples :

Each of the following resources has a different origin from the
    others.

    http://example.com/
    http://example.com:8080/
    http://www.example.com/
    https://example.com:80/
    https://example.com/
    http://example.org/


(*) pointed at by the on-line Tomcat documentation :
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
-> cors.allowed.origins -> "origin"


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message