> On Feb 26, 2016, at 3:40 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jose, > > On 2/26/16 7:08 AM, Jose María Zaragoza wrote: >> 2016-02-26 9:08 GMT+01:00 RICHARD DOUST <rdo...@mac.com>: >>> My question is, why doesn't it work, or, how can I debug it? >> >> Are you tested to allow to all origins (default option) ? Only for >> testing purpose, I mean: >> >> <param-name>cors.allowed.origins</param-name> >> <param-value>*</param-value> >> >> At first sight, your settings should work, but ... > > This is exactly what I was going to suggest. > > Also, what HTTP METHOD are you actually using? POST?
POST > > If you are using https://, I would make sure that https:// URLs > actually appear in your configuration (you only have HTTP URLs). The origin of the request is http://, that’s why I put it in there. Do I also need to put https:// in there? Seems counter-intuitive, but okay. I’ll try it. Thanks. > > - -chris > >>> I guess I'm going to have to figure out how to get the code for >>> org.apache associated with the jar file so that I can see the >>> source in Eclipse and set a breakpoint. I have read elsewhere >>> that any http page that attempts to mix in https content is as >>> insecure as the page that uses http exclusively, being subject to >>> man in the middle attacks and that once you need https everything >>> needs to be https, but in a large SPA, that seems to me to mean a >>> lot of potentially unnecessary overhead. I'd like to know what >>> some experts think. >>> >>> Thanks >>> >>> Sent from my iPad >>> >>>> On Feb 26, 2016, at 2:42 AM, André Warnier (tomcat) >>>> <a...@ice-sa.com> wrote: >>>> >>>>> On 25.02.2016 22:59, RICHARD DOUST wrote: Hi, >>>>> >>>>> I’m running Tomcat 7.0. Can’t find the version.bat file, so I >>>>> don’t know more than that. It’s installed on a Windows >>>>> computer running Windows Server 2003 DataCenter Edition. >>>>> (How’s that for refusing to upgrade?) Anyway, it’s a client’s >>>>> box. I’m trying to migrate an application to JavaScript from >>>>> GWT, but that’s beside the point. The problem is, I’m unable >>>>> to send an XMLHttpRequest to this Tomcat instance via https. >>>>> The site is being served by the same domain, but via http. >>>>> >>>>> I get: >>>>> >>>>> Failed to load resource: Origin http://www.domain.com is not >>>>> allowed by Access-Control-Allow-Origin. >>>>> https://www.domain.com/application/api/request XMLHttpRequest >>>>> cannot load https://www.domain.com/application/api/reqeuest. >>>>> Origin http://www.domain.com is not allowed by >>>>> Access-Control-Allow-Origin. >>>>> >>>>> This is an excerpt my web.xml file for the war: >>>>> >>>>>> <filter> <filter-name>CorsFilter</filter-name> >>>>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class >> >>>>>> >>>>>> > <init-param> >>>>>> <param-name>cors.allowed.origins</param-name> <param-value> >>>>>> http://www.domain.com, http://beta.domain.com:8080, >>>>>> http://localhost:8080</param-value> </init-param> >>>>>> <init-param> <param-name>cors.allowed.methods</param-name> >>>>>> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> >>>>>> </init-param> </filter> >>>>>> >>>>>> <filter-mapping> <filter-name>CorsFilter</filter-name> >>>>>> <url-pattern>/api/*</url-pattern> </filter-mapping> >>>>> >>>>> >>>>> I’d like to debug this, but I don’t know how to go about it. >>>>> Am I suffering from a basic misunderstanding? Does cors not >>>>> allow http to https? Anyway, any help would be appreciated. >>>>> >>>> >>>> Honestly, I don't know much about CORS, but I looked at the >>>> specs, here : http://tools.ietf.org/html/rfc6454 (*) and it >>>> seems to me indeed that in 3.2, Q: Why not just use the host?, >>>> it indeed says that the scheme "http" or "https", is part of >>>> the origin. I interpret this as meaning that if the HTML page >>>> was obtained from "http://www.domain.com", a call made from >>>> within it, to "https://www.domain.com" would not qualify as >>>> "from the same origin". >>>> >>>> Further in 3.2.1, it gives some examples : >>>> >>>> Each of the following resources has a different origin from >>>> the others. >>>> >>>> http://example.com/ http://example.com:8080/ >>>> http://www.example.com/ https://example.com:80/ >>>> https://example.com/ http://example.org/ >>>> >>>> >>>> (*) pointed at by the on-line Tomcat documentation : >>>> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Fil > ter >>>> >>>> > - -> cors.allowed.origins -> "origin" >>>> >>>> >>>> -------------------------------------------------------------------- > - - >>>> >>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlbQuDUACgkQ9CaO5/Lv0PBDBQCfe2fqs1g47UjQmQfB5KlZ6RWM > 85QAnRsoWbcs3rSpiUcBEQcOJqqg5cjr > =es80 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org