(Tomcat 7.0.50, Linux) Having recently enabled CORS support for our Tomcat-based web app using the provided CorsFilter, we have discovered a problem where some same-origin (i.e. non-CORS) requests from certain browsers (e.g. Chrome) are denied. This is due to the browser setting the Origin header even though the request is non-CORS. it turns out that this is in fact legal according to RFC 6454.
Given the popularity of Tomcat and Chrome I was surprised to find little mention of this problem online. Has anyone else encountered this problem? Our planned solution is to fork CorsFilter and and modify it to allow requests for which the Origin and Host headers both resolve to the same IP address. However, if somebody has already implemented a solution for this problem could you please let us know.. Thanks Richard Hart --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
