Re: How do I allow CORS from any domain but only specific ports?

Thu, 06 Jan 2022 13:18:00 -0800 

Thanks, Christopher.

I think, for now, I'll just use * when developing and turned off when in
production.

I wonder if changing that method to protected might be a potential security
hole.

Thanks!

Blake McBride


On Thu, Jan 6, 2022 at 10:34 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Blake,
>
> On 1/6/22 10:29, Blake McBride wrote:
> > Greetings,
> >
> > I have been using the following with success:
> >
> > <filter>
> >     <filter-name>CorsFilter</filter-name>
> >     <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
> >     <init-param>
> >        <param-name>cors.allowed.headers</param-name>
> >
> <param-value>Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
> >     </init-param>
> >     <init-param>
> >        <param-name>cors.exposed.headers</param-name>
> >
> <param-value>Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials</param-value>
> >     </init-param>
> >     <init-param>
> >        <param-name>cors.allowed.origins</param-name>
> >        <param-value>http://localhost:63342</param-value>
> >     </init-param>
> >     <init-param>
> >        <param-name>cors.allowed.methods</param-name>
> >        <param-value>GET, POST, HEAD, OPTIONS</param-value>
> >     </init-param>
> > </filter>
> > <filter-mapping>
> >     <filter-name>CorsFilter</filter-name>
> >     <url-pattern>/*</url-pattern>
> > </filter-mapping>
> >
> >
> > It allows me to allow CORS but only from http://localhost:63342.  I'd
> like
> > to change it to allow CORS from any IP but only ports 63342 and 8002.
> How
> > can I specify that?
> >
> > I am using Tomcat 9.0.42 with JDK 8.
>
> I don't think you can do that with Tomcat's CORS filter. You can either
> "allow all" or you can list every origin.
>
> If you would like to hack on Tomcat, you could look at the private
> CorsFilter.isOriginAllowed method to see if you could come up with a
> more complicated way to evaluate the allowed-origins.
>
> Better yet, change the method to protected and then subclass the
> existing CorsFilter, adding whatever complexity you require.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to