https://bz.apache.org/bugzilla/show_bug.cgi?id=63939
--- Comment #3 from Michael Osipov <micha...@apache.org> --- (In reply to Mark Thomas from comment #1) > The CORS specification references RFC 6454 for the definition of the origin > header. > > RFC 6454 states that the port should only be included in serialized form > (which is the form used in the HTTP header) if the port differs from the > default port. Tomcat's same origin test is, therefore, correct in this > respect. You are referring to https://tools.ietf.org/html/rfc6454#section-6, granted. But the example from https://tools.ietf.org/html/rfc6454#section-3.2.1 claim that w/ and w/o default port is the same origin, so this the Spring's CORS filter: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java#L50-L52 Would you both consider to be wrong, or just lax? Because RFC 6454 refers in the ABNF to RFC 3986 and that likely will compare them equal. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org