Tomcat CORS filter not allowing origin with file:// when resource access done from WebView

Fri, 19 Aug 2016 04:04:50 -0700 

Hi,


We are facing a problem in tomcat cors filter. Below is the filter 
configurations added in web.xml for cors request processing.

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
    <!--<init-param>
      <param-name>cors.allow.nullorigin</param-name>
      <param-value>true</param-value>
   </init-param>-->
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

The Tomcat server processes all the cors request successfully when the Origin 
in the request contains a domain for all sachems like http://www.kodiakptt.com 
, file://local<file://local/> etc.


POST http://kodiakptt.com/poc/ HTTP/1.1
Host: medistreet.in
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://www.kodiakptt.com<http://www.kodiakptt.com/>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/34.0.1847.116 Safari/537.36


The http request fails if the Origin header contains only scheme and not a 
domain name. The Server sends 403 when the request is as below.


POST http://kodiakptt.com/poc/ HTTP/1.1
Accept: application/json, text/plain, */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile 
Safari/537.36
Content-Type: application/json;charset=UT

The Difference in request headers from the successfull operation and failed 
operations are

1. Origin is file:// in falied and 
http://www.kodiakptt.com<http://www.kodiakptt.com/> in successfully processed 
request

2. The User-Agent header.


Regards,

Chandra

Reply via email to