[jetty-dev] CrossOriginFilter-servlet

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] CrossOriginFilter-servlet

Peilke, Hendrik

Hi,

 

I am using jetty in conjunction with the geoserver. By testing out the CrossOriginFilter and looking at the code at https://github.com/eclipse/jetty.project/blob/master/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CrossOriginFilter.java it seems to me, that there is still a bug, when all origins are allowed (*): The jetty-filter returns the origin (not the *) in line 398, but does not set the Vary-Option in line 401. So the browser caches the origin response and if I got two different sites requesting on the same jetty-Server, the second request will not be managed by the browser, because the cached allowed-origin does not match the current origin (tested with current chrome and firefox). Looking at the tomcat-servlet, I noticed, that they return the * if all origins are allowed and not the specific origin (https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/CorsFilter.java, line 413). So the code could  be (instead of lines 398-401):

 

if (anyOriginAllowed) {

response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, "* ");

}

else {

response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, origin);

//W3C CORS spec http://www.w3.org/TR/cors/#resource-implementation

response.addHeader("Vary", ORIGIN_HEADER);

}

 

Can you please fix that or is there a specific reason, that jetty always returns the origin. If there is, then it also always hast o return the vary header and not only if not all origins are alowed.

 

Regards,

Hendrik



IBYKUS AG für Informationstechnologie, Erfurt / HRB 108616 - D-Jena / Vorstand: Helmut C. Henkel, Dr. Lutz Richter
Vorsitzender des Aufsichtsrates: Dr. Helmut Vorndran

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] CrossOriginFilter-servlet

Simone Bordet-3
Hi,

On Fri, Aug 31, 2018 at 9:53 AM Peilke, Hendrik
<[hidden email]> wrote:

>
> Hi,
>
>
>
> I am using jetty in conjunction with the geoserver. By testing out the CrossOriginFilter and looking at the code at https://github.com/eclipse/jetty.project/blob/master/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CrossOriginFilter.java it seems to me, that there is still a bug, when all origins are allowed (*): The jetty-filter returns the origin (not the *) in line 398, but does not set the Vary-Option in line 401. So the browser caches the origin response and if I got two different sites requesting on the same jetty-Server, the second request will not be managed by the browser, because the cached allowed-origin does not match the current origin (tested with current chrome and firefox). Looking at the tomcat-servlet, I noticed, that they return the * if all origins are allowed and not the specific origin (https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/CorsFilter.java, line 413). So the code could  be (instead of lines 398-401):
>
>
>
> if (anyOriginAllowed) {
>
> response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, "* ");
>
> }
>
> else {
>
> response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, origin);
>
> //W3C CORS spec http://www.w3.org/TR/cors/#resource-implementation
>
> response.addHeader("Vary", ORIGIN_HEADER);
>
> }
>
>
>
> Can you please fix that or is there a specific reason, that jetty always returns the origin. If there is, then it also always hast o return the vary header and not only if not all origins are alowed.
>

Please open an issue with the contents of this email.

Thanks!

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev