https://bz.apache.org/bugzilla/show_bug.cgi?id=69214
Bug ID: 69214
Summary: CORSFilter prevent requests with POST method with no
content type
Product: Tomcat 10
Version: 10.1.26
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ------
i have a web application that accepts POST requests with no supplied data (no
Content-Type nor Content_Length) and that can handle client calls.
When the client makes the same call though CORS, the CORSFilter detects and
error and return HTTP 403 code.
Looking at some Q/A regarding POST ... we can see that it is legitimate to
implement POST calls with no content (body)
https://lists.w3.org/Archives/Public/ietf-http-wg/2010JulSep/0275.html
In the CorsFilter.checkRequestType () method, though, it seems no having any
content type prevent from updating the requestType, initialized with
CORSRequestType.INVALID_CORS.
Q: shouldn't we return in such case CORSRequestType.SIMPLE or
CORSRequestType.ACTUAL ?
ie: (see 'set the request type then ...')
protected CORSRequestType checkRequestType(final HttpServletRequest request) {
CORSRequestType requestType = CORSRequestType.INVALID_CORS;
...
} else if ("POST".equals(method)) {
String mediaType =
getMediaType(request.getContentType());
if (mediaType != null) {
if
(SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES.contains(mediaType)) {
requestType = CORSRequestType.SIMPLE;
} else {
requestType = CORSRequestType.ACTUAL;
}
} else {
// sets the request type then ...
requestType = CORSRequestType.SIMPLE;
}
} else {
...
return requestType;
}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
