Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 365746

Summary: CrossOriginFilter blocks PUT requests
Product: [RT] Jetty Reporter: Krishna <calvinkrishy>
Component: otherAssignee: Simone Bordet <simone.bordet>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: P3 CC: simone.bordet, tbecker
Version: unspecified   
Target Milestone: 7.5.x   
Hardware: All   
OS: All   
Whiteboard:

Description Krishna CLA 2011-12-06 09:43:53 EST 
Build Identifier: 7.4.5.v20110725

Even with the following definition in web.xml the CrossOriginFilter returns a 405 for PUT requests.

       <filter>
               <filter-name>cross-origin</filter-name>
               <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter
               </filter-class>
               <init-param>
                       <param-name>allowedMethods</param-name>
                       <param-value>GET,POST,PUT,OPTIONS,HEAD</param-value>
               </init-param>
       </filter>

The pre-flight response is:

Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS, HEAD

This seems be due to the way the method isMethodAllowed in the filter is structured. The method checks to see if the header Access-Control-Request-Method is present. However, for the actual PUT request browsers (at least Firefox in my limited testing) do not send this header; it is sent only for the pre-flight OPTIONS request.

This page also seems to suggest that the browsers will not send this header for the actual PUT request:
http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request

This bug was confirmed in the mailing list: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01755.html

Reproducible: Always

Steps to Reproduce:
1. Set up the CrossOriginFilter with PUT being added to the allowedMethods init-param
2. Hit an end-point that supports PUT
Comment 1 Thomas Becker CLA 2012-01-13 08:36:07 EST 
The current implementation works just as described here:

http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request

The method isMethodAllowed() is only being called on the preflight request itself and thus only on the preflight request the filter checks for the Access-Control-Request-Method header.

Have a look at: 
CrossOriginFilterTest.testPUTRequestWithPreflight()

This test sends a preflight request with the Access-Control-Request-Method header and the actual PUT request without that header.

So is this problem fixed for you in trunk or am I getting the issue wrong?
Comment 2 Simone Bordet CLA 2012-01-18 06:44:40 EST 
The behavior of the CrossOriginFilter is correct, this bug duplicates https://bugs.eclipse.org/bugs/show_bug.cgi?id=360912.

*** This bug has been marked as a duplicate of bug 360912 ***