Re: How do I allow CORS from any domain but only specific ports?

[Christopher Schultz]

Blake,

On 1/6/22 16:17, Blake McBride wrote:
I think, for now, I'll just use * when developing and turned off when in
production.

What's the point of that? The entire purpose of CORS is to protect users 
from attackers while allowing legitimate uses of your own resources. 
Running it in development-only protects nobody.

I wonder if changing that method to protected might be a potential security
hole.

Not really. I mean, if someone can inject code into your process, they 
can overwrite the whole CorsFilter class anyway and just allow 
everything. Or simply remove the CorsFilter from the filter chain 
entirely. Or just attack you directly, instead of allowing HTTP requests 
from other places.

In production, we don't use the CorsFilter but instead implement CORS at 
the reverse-proxy level. We use Apache httpd as our reverse-proxy and 
you can devise pretty exotic rules for how to reply to CORS requests.

-chris

On Thu, Jan 6, 2022 at 10:34 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

Blake,

On 1/6/22 10:29, Blake McBride wrote:
Greetings,

I have been using the following with success:

<filter>
     <filter-name>CorsFilter</filter-name>
     <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
     <init-param>
        <param-name>cors.allowed.headers</param-name>

<param-value>Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
     </init-param>
     <init-param>
        <param-name>cors.exposed.headers</param-name>

<param-value>Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials</param-value>
     </init-param>
     <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://localhost:63342</param-value>
     </init-param>
     <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET, POST, HEAD, OPTIONS</param-value>
     </init-param>
</filter>
<filter-mapping>
     <filter-name>CorsFilter</filter-name>
     <url-pattern>/*</url-pattern>
</filter-mapping>


It allows me to allow CORS but only from http://localhost:63342.  I'd
like
to change it to allow CORS from any IP but only ports 63342 and 8002.
How
can I specify that?

I am using Tomcat 9.0.42 with JDK 8.

I don't think you can do that with Tomcat's CORS filter. You can either
"allow all" or you can list every origin.

If you would like to hack on Tomcat, you could look at the private
CorsFilter.isOriginAllowed method to see if you could come up with a
more complicated way to evaluate the allowed-origins.

Better yet, change the method to protected and then subclass the
existing CorsFilter, adding whatever complexity you require.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org