2016-02-26 9:08 GMT+01:00 RICHARD DOUST <rdo...@mac.com>: > My question is, why doesn't it work, or, how can I debug it?
Are you tested to allow to all origins (default option) ? Only for testing purpose, I mean: <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> At first sight, your settings should work, but ... > I guess I'm going to have to figure out how to get the code for org.apache > associated with the jar file so that I can see the source in Eclipse and set > a breakpoint. > I have read elsewhere that any http page that attempts to mix in https > content is as insecure as the page that uses http exclusively, being subject > to man in the middle attacks and that once you need https everything needs to > be https, but in a large SPA, that seems to me to mean a lot of potentially > unnecessary overhead. I'd like to know what some experts think. > > Thanks > > Sent from my iPad > >> On Feb 26, 2016, at 2:42 AM, André Warnier (tomcat) <a...@ice-sa.com> wrote: >> >>> On 25.02.2016 22:59, RICHARD DOUST wrote: >>> Hi, >>> >>> I’m running Tomcat 7.0. Can’t find the version.bat file, so I don’t know >>> more than that. It’s installed on a Windows computer running Windows Server >>> 2003 DataCenter Edition. (How’s that for refusing to upgrade?) Anyway, it’s >>> a client’s box. I’m trying to migrate an application to JavaScript from >>> GWT, but that’s beside the point. The problem is, I’m unable to send an >>> XMLHttpRequest to this Tomcat instance via https. The site is being served >>> by the same domain, but via http. >>> >>> I get: >>> >>> Failed to load resource: Origin http://www.domain.com is not allowed by >>> Access-Control-Allow-Origin. >>> https://www.domain.com/application/api/request >>> XMLHttpRequest cannot load https://www.domain.com/application/api/reqeuest. >>> Origin http://www.domain.com is not allowed by Access-Control-Allow-Origin. >>> >>> This is an excerpt my web.xml file for the war: >>> >>>> <filter> >>>> <filter-name>CorsFilter</filter-name> >>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> >>>> <init-param> >>>> <param-name>cors.allowed.origins</param-name> >>>> <param-value> http://www.domain.com, >>>> http://beta.domain.com:8080, http://localhost:8080</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>cors.allowed.methods</param-name> >>>> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> >>>> </init-param> >>>> </filter> >>>> >>>> <filter-mapping> >>>> <filter-name>CorsFilter</filter-name> >>>> <url-pattern>/api/*</url-pattern> >>>> </filter-mapping> >>> >>> >>> I’d like to debug this, but I don’t know how to go about it. Am I suffering >>> from a basic misunderstanding? Does cors not allow http to https? Anyway, >>> any help would be appreciated. >>> >> >> Honestly, I don't know much about CORS, but I looked at the specs, here : >> http://tools.ietf.org/html/rfc6454 (*) >> and it seems to me indeed that in >> 3.2, Q: Why not just use the host?, >> it indeed says that the scheme "http" or "https", is part of the origin. >> I interpret this as meaning that if the HTML page was obtained from >> "http://www.domain.com";, a call made from within it, to >> "https://www.domain.com"; would not qualify as "from the same origin". >> >> Further in 3.2.1, it gives some examples : >> >> Each of the following resources has a different origin from the >> others. >> >> http://example.com/ >> http://example.com:8080/ >> http://www.example.com/ >> https://example.com:80/ >> https://example.com/ >> http://example.org/ >> >> >> (*) pointed at by the on-line Tomcat documentation : >> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter >> -> cors.allowed.origins -> "origin" >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
