invalid token ‘{’ in CORS header

Create issue
Issue #35 resolved
Thad Humphries created an issue

I am using this filter in a *.WAR deployed on Tomcat 8.5. I am seeing curly braces, '{' and '}' in the response headers. The causes failure in Firefox 66.

For example, in my cors.properties file, I set

cors.supportedMethods: { GET, POST, HEAD, PUT, DELETE }

The response header is

Access-Control-Allow-Methods: HEAD, DELETE, POST, GET, {,  }, PUT

For a cor.properties setting of

cors.supportedMethods: { GET, POST, HEAD, PUT, DELETE, OPTIONS }

The response header is

Access-Control-Allow-Methods: HEAD, DELETE, POST, GET, {, OPTIONS, }, PUT

Safari 12 and Chrome 73 and Canary 75 don't mind, but Firefox fails with these console messages:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8888/oasrest/login. (Reason: invalid token ‘{’ in CORS header Access-Control-Allow-Methods).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8888/oasrest/login. (Reason: CORS request did not succeed).

Comments (5)

  1. Thad Humphries reporter

    Nevermind. Relooked this today, and found that our config file had curly brackets around the value for cors.supportedMethods. Sorry for the trouble.

  2. Log in to comment