Hi,
We are facing a problem in tomcat cors filter. Below is the filter configurations added in web.xml for cors request processing. <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> </init-param> <!--<init-param> <param-name>cors.allow.nullorigin</param-name> <param-value>true</param-value> </init-param>--> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> </init-param> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent</param-value> </init-param> <init-param> <param-name>cors.exposed.headers</param-name> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> </init-param> <init-param> <param-name>cors.support.credentials</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.preflight.maxage</param-name> <param-value>10</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app> The Tomcat server processes all the cors request successfully when the Origin in the request contains a domain for all sachems like http://www.kodiakptt.com , file://local<file://local/> etc. POST http://kodiakptt.com/poc/ HTTP/1.1 Host: medistreet.in Connection: keep-alive Access-Control-Request-Method: POST Origin: http://www.kodiakptt.com<http://www.kodiakptt.com/> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 The http request fails if the Origin header contains only scheme and not a domain name. The Server sends 403 when the request is as below. POST http://kodiakptt.com/poc/ HTTP/1.1 Accept: application/json, text/plain, */* Origin: file:// User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Content-Type: application/json;charset=UT The Difference in request headers from the successfull operation and failed operations are 1. Origin is file:// in falied and http://www.kodiakptt.com<http://www.kodiakptt.com/> in successfully processed request 2. The User-Agent header. Regards, Chandra