Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 365746 - CrossOriginFilter blocks PUT requests
Summary: CrossOriginFilter blocks PUT requests
Status: RESOLVED DUPLICATE of bug 360912
Alias: None
Product: Jetty
Classification: RT
Component: other (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 7.5.x   Edit
Assignee: Simone Bordet CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-06 09:43 EST by Krishna CLA
Modified: 2012-01-18 06:44 EST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Krishna CLA 2011-12-06 09:43:53 EST 
Build Identifier: 7.4.5.v20110725

Even with the following definition in web.xml the CrossOriginFilter returns a 405 for PUT requests.

       <filter>
               <filter-name>cross-origin</filter-name>
               <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter
               </filter-class>
               <init-param>
                       <param-name>allowedMethods</param-name>
                       <param-value>GET,POST,PUT,OPTIONS,HEAD</param-value>
               </init-param>
       </filter>

The pre-flight response is:

Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS, HEAD

This seems be due to the way the method isMethodAllowed in the filter is structured. The method checks to see if the header Access-Control-Request-Method is present. However, for the actual PUT request browsers (at least Firefox in my limited testing) do not send this header; it is sent only for the pre-flight OPTIONS request.

This page also seems to suggest that the browsers will not send this header for the actual PUT request:
http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request

This bug was confirmed in the mailing list: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01755.html

Reproducible: Always

Steps to Reproduce:
1. Set up the CrossOriginFilter with PUT being added to the allowedMethods init-param
2. Hit an end-point that supports PUT
Comment 1 Thomas Becker CLA 2012-01-13 08:36:07 EST 
The current implementation works just as described here:

http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request

The method isMethodAllowed() is only being called on the preflight request itself and thus only on the preflight request the filter checks for the Access-Control-Request-Method header.

Have a look at: 
CrossOriginFilterTest.testPUTRequestWithPreflight()

This test sends a preflight request with the Access-Control-Request-Method header and the actual PUT request without that header.

So is this problem fixed for you in trunk or am I getting the issue wrong?
Comment 2 Simone Bordet CLA 2012-01-18 06:44:40 EST 
The behavior of the CrossOriginFilter is correct, this bug duplicates https://bugs.eclipse.org/bugs/show_bug.cgi?id=360912.

*** This bug has been marked as a duplicate of bug 360912 ***