Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 360912

Summary: CrossOriginFilter does not send Access-Control-Allow-Origin on responses
Product: [RT] Jetty Reporter: Damien <damien.feugas>
Component: serverAssignee: Simone Bordet <simone.bordet>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: calvinkrishy, jetty-inbox
Version: 7.1.3   
Target Milestone: 7.1.x   
Hardware: All   
OS: All   
Whiteboard:

Description Damien CLA 2011-10-14 01:48:06 EDT 
Build Identifier: 8.0.0.RC0

With the CrossOriginFilter, when performing a "not simple" request, that is, a PUT or DELETE, a first preflight request is issued and properly handled.

But the second and "actual" request (the PUT or the DELETE), must be added the header "Access-Control-Allow-Origin" = "*" in its response (http://www.w3.org/TR/cors/#resource-preflight-requests, section 5.1ยง3)

Without the header, client (tested with Firefox 5+ and Chrome 11+) will not handle the body: it consider the body as empty, and raise an error.

Example: http://kodemaniak.de/?p=62, explained on the very last paragraph.



Reproducible: Always

Steps to Reproduce:
1. Enable CORS
2. Perform a PUT or DELETE request from a javascript client (may return something or not)
3. The OPTION request is well handled.
4. The actual request failed on an error (see on firebug for example).
Comment 1 Greg Wilkins CLA 2011-10-18 21:38:13 EDT 
Simone,

can you look at this one, as I find the specification document a bit impenetrable and you've already looked at it so you may have better understanding than I.

The spec appears to distinguish behaviour for simple requests, actual requests and preflight request.  However the filter appears to assume that any non simple requests are preflight requests.

It would also be good to have a test harness for this filter.

cheers
Comment 2 Simone Bordet CLA 2011-10-19 08:06:17 EDT 
Fixed in Jetty 7.
Now actual responses contain the Access-Control-Allow-Origin header.
Comment 3 Simone Bordet CLA 2012-01-18 06:44:40 EST 
*** Bug 365746 has been marked as a duplicate of this bug. ***