https://bz.apache.org/bugzilla/show_bug.cgi?id=67472
Bug ID: 67472
Summary: CorsFilter erroneously adds CORS headers in responses
to Non-CORS requests
Product: Tomcat 10
Version: unspecified
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Util
Assignee: dev@tomcat.apache.org
Reporter: lmed...@protonmail.com
Target Milestone: ------
Created attachment 39049
--> https://bz.apache.org/bugzilla/attachment.cgi?id=39049&action=edit
First request without Origin headers and response with CORS headers (in French,
sorry)
Hi,
Problem experienced in Tomcat 10.1.13.
When CorsFilter configuration is added to Tomcat's web.xml, all requests are
treated as CORS requests. I mean that the response to any request will contain
CORS headers (see attachment), causing the client to send the server's origin
in further requests, which are then blocked by the filter if they are not in
the cors.allowed.origins list.
According to the flowchart at
https://tomcat.apache.org/tomcat-10.1-doc/images/cors-flowchart.png, responses
to non-CORS request should not be added any additional header.
An easy workaround would be to add the server's origin to this list, but:
- it adds useless header exchanges and processing in same-origin transactions,
- it is much harder to do when the server is installed on VMs that are
instanciated by scripts.
I think what causes this bug is line 325 in CorsFilter.java:
addStandardHeaders(request, response);
This method should not be called in handleNonCors().
Can you remove this instruction from the next versions, please?
Thanks in advance and best regards.
L. Medini.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
