cors-filter icon indicating copy to clipboard operation
cors-filter copied to clipboard
verified publisher icon eBay

Support 'null' origin

Open jamesagnew opened this issue 10 years ago • 5 comments

When using HTML which is deployed to a local hard drive, the browser will issue a CORS preflight request with an Origin header of "Origin: null".

Currently CORSFilter treats this as an invalid preflight request even if the filter is configured to allow origin "*". This pull request lets the filter allow this through.

jamesagnew avatar Oct 17 '15 14:10 jamesagnew

Hi guys, any update on this? I am actually encountering this problem. The use case is to use Cordova to build a hybrid app which talks to an API server that uses this CORS filter. Because the request is made from a file in Cordova, the Origin is set to file:// which is interpreted as null and hit this error.

alvinleonard avatar Oct 12 '16 02:10 alvinleonard

Hi Alvin, I'm kind of guessing this project is abandoned unfortunately..

FWIW since I'm guessing you're using this with HAPI, there is a copy of CorsFilter with the patch applied here] in HAPI.

You could always do the same and copy the class into your own project.. It doesn't need any external dependencies.

Another alternative is to use Spring Security's CORS filter instead. I am kind of leaning towards updating HAPI's documentation to recommend using that instead, since it does more than just CORS and you can use it without using the rest of Spring if you want.

jamesagnew avatar Oct 12 '16 15:10 jamesagnew

@jamesagnew and @alvinleonard Sorry for not responding earlier. This project is not being maintained very actively, specially after donation to Apache Tomcat project.

This issue has already been fixed in Tomcat's code base: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/CorsFilter.java#L825

Can either of you please update this PR with changes from Tomcat's code base, and then I can work towards releasing a fresh version of this ?

mohitsoni avatar Oct 12 '16 21:10 mohitsoni

Hi @jamesagnew, yep I am using this with HAPI JPA server. The particular case I am encountering is the case where the Origin is set to file:// by Cordova for any POST requests.

It looks like the code in Tomcat project has been updated to support that: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/CorsFilter.java#L832

@mohitsoni I'll give the PR a go.

alvinleonard avatar Oct 12 '16 22:10 alvinleonard

Hi @mohitsoni, I've created the PR here: https://github.com/eBay/cors-filter/pull/13. Pulled both the null and file:// checks from Tomcat project.

alvinleonard avatar Oct 12 '16 22:10 alvinleonard