https://bz.apache.org/bugzilla/show_bug.cgi?id=63939
Bug ID: 63939 Summary: CORS filter incorrectly implements same/local origin check Product: Tomcat 9 Version: 9.0.x Hardware: All OS: All Status: NEW Severity: major Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: micha...@apache.org Target Milestone: ----- I believe org.apache.catalina.filters.CorsFilter.isLocalOrigin(HttpServletRequest, String) has two bugs: One note upfront, I believe this method should be renamed to isSameOrigin() to use the same term as with the Fetch Standard. Bug 1: When Origin contains a standard port Tomcat does not take that into account and omits the default port from target, .e.g., > curl -X OPTIONS -H "Origin: https://fqdn:443" vs. > curl -X OPTIONS -H "Origin: https://fqdn" both result in different responses. The root cause is here: https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/filters/CorsFilter.java#L656-L663 As far as I understand https://url.spec.whatwg.org/#concept-url-port, the default port for the specific protocol has to be used within the comparison. Bug 2: at the very end "origin.equalsIgnoreCase(target.toString());" is performed while isOriginAllowed() performs a case-sensitive comparision as documented here: https://www.w3.org/TR/access-control/#resource-preflight-requests This seems to be inconsistent. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org