• Software Overview
• JsWorld
  • Online demo
  • Quick start
  • Use cases
  • Library design and features
  • Numeric formatting
  • Currency formatting
  • Date/time formatting
  • Parsing
  • Tips and Tricks
  • Supported locales
• JSON-RPC 2.0
  • Overview
  • Base Java classes
  • Interactive shell
  • Server
  • Client
  • Tips and tricks
• Json2Ldap
• CORS Filter
  • Overview
  • Installation
  • Configuration
  • Request tagging
  • Specification
  • Tips and tricks
  • Browser bugs and quirks
• Nimbus SRP
  • Overview
  • Usage
  • Tools
  • Specification
• About + Contact
• Download

The first universal CORS implementation for Java web apps

CORS Filter is the first universal solution for fitting Cross-Origin Resource Sharing (CORS) support to Java web applications. CORS is a recent W3C effort to introduce a standard mechanism for enabling cross-domain requests in web browsers and participating servers.

The future of the web is cross-domain, not same-origin

Since the early days of the web (think Netscape 2.0) browsers have enforced, to various degrees, a same origin policy to prevent leaking of confidential user data to third party sites. The same origin policy was carried over to the revolutionary XMLHttpRequest which appeared in the early 2000's. Modern web applications, however, increasingly seek to dynamically integrate content and services from third parties, which was initially achieved through "hacks" such as JSONP. CORS was created in recognition that cross-domain requests advance the spirit of the web, are here to stay and therefore they'd better be standardised.

The philosophy of CORS

CORS works two-fold:

• From a browser script perspective: By allowing cross-domain requests, which are subject to tighter controls on the types of data that is exchanged. Cookies, for instance, are blocked unless specifically requested by the XHR author and allowed by the remote web service. This is done to reduce the said risk of data leaks.
• From a web service perspective: By utilising the origin URL reported by the browser the target cross-domain web service can determine, based on its origin policy, whether to allow or deny the request.

The original CORS specification is available at http://www.w3.org/TR/cors/

Note that in order for CORS to work, it must be supported by both browser and web server.

Security

Bear in mind that CORS is not about providing server-side security. The controls that it imposes are primarily to protect the browser, and more specifically - the legitimate JavaScript apps that run in it as well as any confidential user data (cookies) from some cross-site exploits. Remember, after all, that the Origin request header is supplied by the browser and the server has no direct means to verify it.

Browsers supporting CORS

The following major browsers support CORS as of July 2012. Reported penetration among users at 92% as of April 2013.

Firefox 3.5+	Internet Explorer 8+✝	Google Chrome 3+	Apple Safari 4+	Opera 12+

^✝ Partial support via the XDomainRequest object. Version 10 of IE is expected to have full CORS support integrated into the common XMLHttpRequest object.

The CORS Filter solution - plug in and forget

The CORS Filter can be plugged into any standard Java Servlet container to handle cross-site requests to servlets, JSPs and HTML files residing on the server.

The CORS Filter, as the name implies, implements the clever javax.servlet.Filter interface. It intercepts incoming HTTP requests and if they are identified as cross-origin, it applies the proper CORS policy and headers, before passing them on to the actual targets (servlets, JSPs, static XML/HTML documents).

This transparent nature of the CORS Filter makes it very easy to retrofit existing Java web services with a CORS capability. Just put the CORS JAR file into your CLASSPATH and enable it with a few lines of XML in your web.xml file. The CORS Filter implementation is extremely efficient too - it takes less than 30K of bytecode.

CORS Filter documentation

• Installation
• Configuration
• Request tagging
• Technical specification
• Tips and tricks
• Browser bugs and quirks

Resources

Official W3C documents:

• The W3C Working Draft on Cross-Origin Resource Sharing
• The Editors's Draft (most up to date)

Useful notes, tips and tricks:

• How to detect CORS support in a browser
• How to debug CORS requests with FireBug
• Mozilla notes on cross-domain XHR

Download

The CORS Filter is offered as free open source software under an integration friendly Apache 2.0 license. The download package includes a JAR file ready for immediate deployment, a demo CORS WAR, documentation and the project sources.

Download now CORS Filter

CORS Filter Git repo: https://bitbucket.org/thetransactioncompany/cors-filter

Maven Central support: Since July 2012

Get in touch with me if you have any questions or feedback to share.

Credits

Thanks to Anne van Kesteren and Adam Barth for answering my queries on the W3C mailing list during the development of the CORS Filter. Also thanks to the greater community for the effort to come up with a web standard to solve the issue of cross-origin HTTP requests.

Joost Cassee contributed the Maven POM for the CORS Filter and the Java Property Utils dependency.

Jared Ottley and Luis Sala of Alfresco contributed the Origin subdomains matching feature which appeared in version 1.4.

[d]zhuvinov [s]oftware

Main Software Overview About + Contact Download

JsWorld Online demo Quick start Use cases Library design and features Numeric formatting Currency formatting Date/time formatting Parsing Supported locales

JSON-RPC 2.0 Overview Base Java classes Interactive shell Server Client Tips and tricks

CORS Filter Overview Installation Configuration Request tagging Specification Tips and tricks Browser bugs and quirks

Nimbus SRP Overview Usage Tools Specification

Copyright © Vladimir Dzhuvinov, 2008 - 2013

[ software.dzhuvinov.com ]