Hi.
On this list, it is preferred to not top-post, but respond in-line or below the previous
intervention.
Re : http://tomcat.apache.org/lists.html#tomcat-users -> important -> 6
It makes it easier to follow the conversation, and for people with small screens, to avoid
scrolling up and down all the time.
So I have re-positioned your answer below.
On 26.02.2016 09:08, RICHARD DOUST wrote:
On Feb 26, 2016, at 2:42 AM, André Warnier (tomcat) <a...@ice-sa.com> wrote:
On 25.02.2016 22:59, RICHARD DOUST wrote:
Hi,
I’m running Tomcat 7.0. Can’t find the version.bat file, so I don’t know more
than that. It’s installed on a Windows computer running Windows Server 2003
DataCenter Edition. (How’s that for refusing to upgrade?) Anyway, it’s a
client’s box. I’m trying to migrate an application to JavaScript from GWT, but
that’s beside the point. The problem is, I’m unable to send an XMLHttpRequest
to this Tomcat instance via https. The site is being served by the same domain,
but via http.
I get:
Failed to load resource: Origin http://www.domain.com is not allowed by
Access-Control-Allow-Origin.
https://www.domain.com/application/api/request
XMLHttpRequest cannot load https://www.domain.com/application/api/reqeuest.
Origin http://www.domain.com is not allowed by Access-Control-Allow-Origin.
This is an excerpt my web.xml file for the war:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value> http://www.domain.com, http://beta.domain.com:8080,
http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
I’d like to debug this, but I don’t know how to go about it. Am I suffering
from a basic misunderstanding? Does cors not allow http to https? Anyway, any
help would be appreciated.
Honestly, I don't know much about CORS, but I looked at the specs, here :
http://tools.ietf.org/html/rfc6454 (*)
and it seems to me indeed that in
3.2, Q: Why not just use the host?,
it indeed says that the scheme "http" or "https", is part of the origin.
I interpret this as meaning that if the HTML page was obtained from "http://www.domain.com";, a call
made from within it, to "https://www.domain.com"; would not qualify as "from the same
origin".
Further in 3.2.1, it gives some examples :
Each of the following resources has a different origin from the
others.
http://example.com/
http://example.com:8080/
http://www.example.com/
https://example.com:80/
https://example.com/
http://example.org/
(*) pointed at by the on-line Tomcat documentation :
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
-> cors.allowed.origins -> "origin"
There's no doubt in my mind that this is considered a cross-domain request. The
question is, why is it not being allowed given the configuration. The domain
that requested the original page (via http) is specifically set to be allowed
to access the site in a cross-domain scenario.
Ok, sorry to have misunderstood your question. I'm new at this CORS stuff..
My question is, why doesn't it work, or, how can I debug it?
I guess I'm going to have to figure out how to get the code for org.apache
associated with the jar file so that I can see the source in Eclipse and set a
breakpoint.
I have read elsewhere that any http page that attempts to mix in https content
is as insecure as the page that uses http exclusively, being subject to man in
the middle attacks and that once you need https everything needs to be https
There is a short explanation for this view in the same RFC, at
3.2. Origin -> Q: Why not just use the host?
, but in a large SPA, that seems to me to mean a lot of potentially unnecessary
overhead.
This is another debate. In my heart, I tend to agree with you. But then, it seems that
even high-traffic sites are switching to HTTPS overall, so I guess it does not have such a
fearsome impact on performance anymore.
I'd like to know what some experts think.
I guess I'd better leave it to them then, and keep watching this thread to learn more
about CORS..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
