Hi,
Tomcat brings a special filter that implements the CORS specification. In
this filter, the default list of allowed headers is the following:
Origin
Accept
X-Requested-With
Content-Type
Access-Control-Request-Method
Access-Control-Request-Headers
I know that I can replace that list by using the filter parameter
"cors.allowed.headers" and specify my own list of headers. I know that. But
I have the following questions:
- When this filter was created, why was the list filled with this
-abritrarily- short list of headers? Why these headers and not others? Why,
for example, isn't the "cache-control" header in the list? How was this list
chosen?
- If I want to define a more complete list, which headers should I include?
There are some many headers to think about!
- Can I use a "*" instead of specifying a list? Is that something that the
CORS specs allows?
- I know that the CORS specs defined this kind of list, but. Why is that
necessary? Why can't we just accept any header in the pre-flight OPTIONS
step, instead of returning a 403 (Forbiden) if at least one of the headers
requested by the client is not in the list of allowed headers?
- Why isn't there an option in the filter to do something like this:
response.setHeader("Access-Control-Allow-Headers",
request.getHeader("Access-Control-Request-Headers") ?
I'm puzzled. One of the users of my API sent the "cache-control" header in
the in the "Access-Control-Request-Headers" list during the pre-flight
step, and received an HTTP 403 error status. I can add this header to the
list (using the "cors.allowed.headers" filter parameter). But what about
next time some client sends another header that is not in the list?
Brian
