Reported by Casey Lucas via email:
Subject: cors filter for origin == host Date: Tue, 7 May 2013 15:47:14 +0000 (05/07/2013 06:47:14 PM)
First, thank you for the excellent CORSFilter. We've had good success using it in production. We recently ran across a scenario which it didn't handle and were wondering if you had any thoughts about the issue. Basically, we would like to be able to allow requests through the filter when the origin matches the host header. Right now, we have to explicitly allow all hosts (including "hosts" of ip addresses if that is what's used in the browser) in the web.xml file and this creates a headache for development time when developers access services by dhcp ip address instead of well-known fixed host names. We're using easyxdm on the client and it always adds an origin header (even if the origin matches the current host/server) so the requests are being denied by the filter.
Should requests where origin matches host always be allowed? See also: http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request We can contribute back / provide a pull request if you desire.