Firefox v25 omits Access-Control-Request-Headers, causes NullPoinerException

Create issue
Issue #12 invalid
Vladimir Dzhuvinov created an issue

Reported by email:


I am seeing another problem where CORS plugin is failing with NullPointerException in CORSRequestHandler.java because my POST requests from FireFox (v 25) are missing Access-Control-Request-Headers.

This seems to be happening only in FireFox. Please let me know how this issue can be fixed.

Thanks,

Prithvi

ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/bulkContentUploadDMZ-0.0.2.0].[bulkContentUpload]] (http--127.0.0.1-8081-1) Servlet.service() for servlet bulkContentUpload threw exception: java.lang.NullPointerException

            at com.thetransactioncompany.cors.CORSRequestHandler.handlePreflightRequest(CORSRequestHandler.java:347) [cors-filter-1.7.jar:]

            at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:162) [cors-filter-1.7.jar:]

            at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:233) [cors-filter-1.7.jar:]

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:139) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

            at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

            at java.lang.Thread.run(Thread.java:722) [:1.7.0_21]

Comments (3)

  1. Vladimir Dzhuvinov reporter

    The CORS spec says the following about treating requests with missing Access-Control-Request-Headers :

    http://www.w3.org/TR/cors/#resource-preflight-requests

    • Let header field-names be the values as result of parsing the Access-Control-Request-Headers headers.
    • If there are no Access-Control-Request-Headers headers let header field-names be the empty list.
    • If parsing failed do not set any additional headers and terminate this set of steps. The request is outside the scope of this specification.
  2. Log in to comment