2014-04-29 0:38 GMT+02:00 Terence M. Bandoian <[email protected]>: > On 4/28/2014 5:32 PM, Terence M. Bandoian wrote: >> >> On 4/28/2014 3:08 PM, Jose María Zaragoza wrote: >>> >>> 2014-04-28 21:55 GMT+02:00 Terence M. Bandoian <[email protected]>: >>>> >>>> On 4/26/2014 6:56 AM, Jose María Zaragoza wrote: >>>>> >>>>> 2014-04-26 13:16 GMT+02:00 Martin Gainty <[email protected]>: >>>>>>> >>>>>>> Date: Sat, 26 Apr 2014 11:43:05 +0530 >>>>>>> Subject: Re: CORS issue with Tomcat and Android Webview >>>>>>> From: [email protected] >>>>>>> To: [email protected] >>>>>>> >>>>>>> On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian >>>>>>> <[email protected]>wrote: >>>>>>> >>>>>>>> On 4/24/2014 11:16 PM, Ankit Singhal wrote: >>>>>>>> >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> I did more research on this and figure out the issue.If you see the >>>>>>>>> headers >>>>>>>>> from Android and look into Origin Header. >>>>>>>>> >>>>>>>>> Origin: file:// >>>>>>>>> >>>>>>>>> Tomcat CORS filter tries to validate the URI in Origin header and >>>>>>>>> considers >>>>>>>>> "file://" as an invalid URI and returns back 403. >>>>>>>>> >>>>>>>>> I have applied <accept-origin>*</accept-origin> params. So >>>>>>>>> shouldn't >>>>>>>>> CORS >>>>>>>>> filter honor this ? >>>>>>>>> >>>>>>>>> I agree that Client also has the problem , but still server should >>>>>>>>> also >>>>>>>>> allow... >>>>>>>>> >>>>> Hi: >>>>> >>>>> I'm watching this flowchart >>>>> https://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png >>>>> >>>>> and I wonder if Tomcat 7 checks if the request received belongs to the >>>>> right type. >>>>> I mean, if browser sends a simple request ( eg. POST + application/xml >>>>> content-type header ) >>>>> WC3 spec says that request should be a preflight request , does >>>>> Tomcat check this case ? >>>>> >>>>> >>>>> >>>>> Regards >>>>> >>>> >>>> Hi, Jose- >>>> >>>> I don't see where the W3C spec requires a preflight request for simple >>>> requests. >>>> >>>> >>>> -Terence Bandoian >>> >>> >>> Sorry, I meant non-simple request. >>> For example, if I perform a cross-domain POST request (within >>> application/xml content-type header ), >>> I guess that a preflight request is required , right ? >>> What happens, if it's not sent , on Tomcat? Should it check it ? >>> >>> Regards >> >> >> >> Hi, Jose- >> >> I don't see in the W3C spec where preflight requests are required at all. >> Can you point me to where you've found that? >> >> -Terence Bandoian >> > > > I meant to say I don't see where the W3C spec requires preflight requests to > be sent.
According to http://www.w3.org/TR/cors/#simple-cross-origin-request Cross-Origin Request with Preflight [ Go to the next step if the following conditions are true. *Otherwise, make a preflight request.* - For request method there either is a method cache match or it is a simple method and the force preflight flag is unset. - For every header of author request headers there either is a header cache match for the field name or it is a simple header. /] So, I understand that if I make a POST request within application/xml content-type header, it's a simple method but Content-type: application/xml is not a simple header, according to http://www.w3.org/TR/cors/#simple-method I understand that client must to make a preflight request Maybe I'm wrong Regards > > -Terence > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
