On 06/02/2019 12:48, Jörg Schaible wrote: > Hi Mark, > > Am Mittwoch, 6. Februar 2019, 11:45:46 CET schrieb Mark Thomas: >> Exact Tomcat 8 version? >> Exact Tomcat 9 version? >> >> How is CORS configured in your application? > > the VersionLoggerListener entries from the catalina.log files: > > this is the machine with Tomcat 8: > ============== %< ================== > - Server version: Apache Tomcat/8.0.41 > - Server built: Jan 18 2017 22:19:39 UTC
<snip/> > - Server Version: Apache Tomcat/9.0.14 > - Server built: Dec 6 2018 21:13:53 UTC You have almost 2 years of bug fixes between those versions. Looks like you've hit the fixes for these bugs: https://bz.apache.org/bugzilla/show_bug.cgi?id=62676 https://bz.apache.org/bugzilla/show_bug.cgi?id=62761 https://bz.apache.org/bugzilla/show_bug.cgi?id=62343 (CVE-2018-8014) > The CORS-Settings from the web.xml: > > ============== %< ================== > <filter> > <filter-name>CorsFilter</filter-name> > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > <init-param> > <param-name>cors.exposedHeaders</param-name> > <param-value>Set-Cookie</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>CorsFilter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > ============== %< ================== You need to set cors.allowed.origin to an appropriate value. See: http://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
