Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] CrossOriginFilter-servlet



I am using jetty in conjunction with the geoserver. By testing out the CrossOriginFilter and looking at the code at it seems to me, that there is still a bug, when all origins are allowed (*): The jetty-filter returns the origin (not the *) in line 398, but does not set the Vary-Option in line 401. So the browser caches the origin response and if I got two different sites requesting on the same jetty-Server, the second request will not be managed by the browser, because the cached allowed-origin does not match the current origin (tested with current chrome and firefox). Looking at the tomcat-servlet, I noticed, that they return the * if all origins are allowed and not the specific origin (, line 413). So the code could  be (instead of lines 398-401):


if (anyOriginAllowed) {



else {

response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, origin);

//W3C CORS spec

response.addHeader("Vary", ORIGIN_HEADER);



Can you please fix that or is there a specific reason, that jetty always returns the origin. If there is, then it also always hast o return the vary header and not only if not all origins are alowed.




IBYKUS AG für Informationstechnologie, Erfurt / HRB 108616 - D-Jena / Vorstand: Helmut C. Henkel, Dr. Lutz Richter
Vorsitzender des Aufsichtsrates: Dr. Helmut Vorndran

Back to the top