Ignore CORS requests from same origin

Create issue
Issue #9 resolved
Vladimir Dzhuvinov created an issue

Reported by Casey Lucas via email:

Subject: cors filter for origin == host Date: Tue, 7 May 2013 15:47:14 +0000 (05/07/2013 06:47:14 PM)

First, thank you for the excellent CORSFilter. We've had good success using it in production. We recently ran across a scenario which it didn't handle and were wondering if you had any thoughts about the issue. Basically, we would like to be able to allow requests through the filter when the origin matches the host header. Right now, we have to explicitly allow all hosts (including "hosts" of ip addresses if that is what's used in the browser) in the web.xml file and this creates a headache for development time when developers access services by dhcp ip address instead of well-known fixed host names. We're using easyxdm on the client and it always adds an origin header (even if the origin matches the current host/server) so the requests are being denied by the filter.

Should requests where origin matches host always be allowed? See also: http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request We can contribute back / provide a pull request if you desire.

Comments (4)

  1. casey lucas

    We'll submit a fix. We're thinking in CORSRequestType.detect if we detect that origin header exist and it's the same as request.getScheme + "://" + host header we treat it as OTHER. Also, it is not legal for XMLHttpRequest to modify the host header so this shouldn't be a concern. Let me know if you disagree on this approach.

  2. Log in to comment