Community
Participate
Working Groups
Build Identifier: 8.0.0.RC0 With the CrossOriginFilter, when performing a "not simple" request, that is, a PUT or DELETE, a first preflight request is issued and properly handled. But the second and "actual" request (the PUT or the DELETE), must be added the header "Access-Control-Allow-Origin" = "*" in its response (http://www.w3.org/TR/cors/#resource-preflight-requests, section 5.1ยง3) Without the header, client (tested with Firefox 5+ and Chrome 11+) will not handle the body: it consider the body as empty, and raise an error. Example: http://kodemaniak.de/?p=62, explained on the very last paragraph. Reproducible: Always Steps to Reproduce: 1. Enable CORS 2. Perform a PUT or DELETE request from a javascript client (may return something or not) 3. The OPTION request is well handled. 4. The actual request failed on an error (see on firebug for example).
Simone, can you look at this one, as I find the specification document a bit impenetrable and you've already looked at it so you may have better understanding than I. The spec appears to distinguish behaviour for simple requests, actual requests and preflight request. However the filter appears to assume that any non simple requests are preflight requests. It would also be good to have a test harness for this filter. cheers
Fixed in Jetty 7. Now actual responses contain the Access-Control-Allow-Origin header.
*** Bug 365746 has been marked as a duplicate of this bug. ***
