-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose,
On 2/26/16 7:08 AM, Jose María Zaragoza wrote: > 2016-02-26 9:08 GMT+01:00 RICHARD DOUST <rdo...@mac.com>: >> My question is, why doesn't it work, or, how can I debug it? > > Are you tested to allow to all origins (default option) ? Only for > testing purpose, I mean: > > <param-name>cors.allowed.origins</param-name> > <param-value>*</param-value> > > At first sight, your settings should work, but ... This is exactly what I was going to suggest. Also, what HTTP METHOD are you actually using? POST? If you are using https://, I would make sure that https:// URLs actually appear in your configuration (you only have HTTP URLs). - -chris >> I guess I'm going to have to figure out how to get the code for >> org.apache associated with the jar file so that I can see the >> source in Eclipse and set a breakpoint. I have read elsewhere >> that any http page that attempts to mix in https content is as >> insecure as the page that uses http exclusively, being subject to >> man in the middle attacks and that once you need https everything >> needs to be https, but in a large SPA, that seems to me to mean a >> lot of potentially unnecessary overhead. I'd like to know what >> some experts think. >> >> Thanks >> >> Sent from my iPad >> >>> On Feb 26, 2016, at 2:42 AM, André Warnier (tomcat) >>> <a...@ice-sa.com> wrote: >>> >>>> On 25.02.2016 22:59, RICHARD DOUST wrote: Hi, >>>> >>>> I’m running Tomcat 7.0. Can’t find the version.bat file, so I >>>> don’t know more than that. It’s installed on a Windows >>>> computer running Windows Server 2003 DataCenter Edition. >>>> (How’s that for refusing to upgrade?) Anyway, it’s a client’s >>>> box. I’m trying to migrate an application to JavaScript from >>>> GWT, but that’s beside the point. The problem is, I’m unable >>>> to send an XMLHttpRequest to this Tomcat instance via https. >>>> The site is being served by the same domain, but via http. >>>> >>>> I get: >>>> >>>> Failed to load resource: Origin http://www.domain.com is not >>>> allowed by Access-Control-Allow-Origin. >>>> https://www.domain.com/application/api/request XMLHttpRequest >>>> cannot load https://www.domain.com/application/api/reqeuest. >>>> Origin http://www.domain.com is not allowed by >>>> Access-Control-Allow-Origin. >>>> >>>> This is an excerpt my web.xml file for the war: >>>> >>>>> <filter> <filter-name>CorsFilter</filter-name> >>>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class > >>>>> >>>>> <init-param> >>>>> <param-name>cors.allowed.origins</param-name> <param-value> >>>>> http://www.domain.com, http://beta.domain.com:8080, >>>>> http://localhost:8080</param-value> </init-param> >>>>> <init-param> <param-name>cors.allowed.methods</param-name> >>>>> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> >>>>> </init-param> </filter> >>>>> >>>>> <filter-mapping> <filter-name>CorsFilter</filter-name> >>>>> <url-pattern>/api/*</url-pattern> </filter-mapping> >>>> >>>> >>>> I’d like to debug this, but I don’t know how to go about it. >>>> Am I suffering from a basic misunderstanding? Does cors not >>>> allow http to https? Anyway, any help would be appreciated. >>>> >>> >>> Honestly, I don't know much about CORS, but I looked at the >>> specs, here : http://tools.ietf.org/html/rfc6454 (*) and it >>> seems to me indeed that in 3.2, Q: Why not just use the host?, >>> it indeed says that the scheme "http" or "https", is part of >>> the origin. I interpret this as meaning that if the HTML page >>> was obtained from "http://www.domain.com", a call made from >>> within it, to "https://www.domain.com" would not qualify as >>> "from the same origin". >>> >>> Further in 3.2.1, it gives some examples : >>> >>> Each of the following resources has a different origin from >>> the others. >>> >>> http://example.com/ http://example.com:8080/ >>> http://www.example.com/ https://example.com:80/ >>> https://example.com/ http://example.org/ >>> >>> >>> (*) pointed at by the on-line Tomcat documentation : >>> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Fil ter >>> >>> - -> cors.allowed.origins -> "origin" >>> >>> >>> -------------------------------------------------------------------- - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbQuDUACgkQ9CaO5/Lv0PBDBQCfe2fqs1g47UjQmQfB5KlZ6RWM 85QAnRsoWbcs3rSpiUcBEQcOJqqg5cjr =es80 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org