CORS Filter

Tips and Tricks

How to detect CORS support in a browser

The following JavaScript snipped can be used to detect CORS support in the browser:

function browserSupportsCors() {
	if ("withCredentials" in new XMLHttpRequest())
		return true;
	else if (typeof XDomainRequest == "object")
		return true;
		return false;

The XDomainRequest object is specific to IE 8+, the other browsers extend the existing XMLHttpRequest.

For IE 8, 9: Keep all your responses as text/plain

If you want your cross-domain web service to support as many browsers as possible set the content-type of all your responses to text/plain.

Content-Type: text/plain

Internet Explorer's CORS implementation, via the XDomainRequest object, imposes a number of limitations on cross-domain calls, including a rule that only "text/plain" responses are accepted. If your service returns any other content type, e.g. "application/json", the response will be silently discarded.

Check out the following post for more information:

XDomainRequest - Restrictions, Limitations and Workarounds

Update February 2012: Good news for developers! Internet Explorer 10 is expected to bring full CORS support through the XMLHttpRequest object as other browsers do. Read the MSDN article.

CORS and browser cookies

Users occasionally report that browser cookies don't work as expected in a cross-domain setting.

Does your filter take care of sessions? For each CORS request I get a different JSESSIONID.

In order for a Java web application or service to get at a cookie, both the CORS Filter in front of it as well as the requesting JavaScript must explicitly allow this form of credential:

First, the JavaScript that initiates the XHR call must set its "withCredentials" flag to true. If not the browser will prevent the passing of cookies during the cross-domain call.

var xhr = new XMLHttpRequest();
var url = 'http://bar.other/resources/credentialed-content/';'GET', url, true);
xhr.withCredentials = true;
xhr.onreadystatechange = handler;

Second, the CORS Filter must also expressly state to the browser that cookies are permitted. This is advertised during the so called "pre-flight" request that the browser makes before an actual request that may involve credentials, such as cookies. The CORS Filter ships with a default configuration where credentials, such as cookies, are marked as allowed when responding to preflight requests. To restrict this edit the cors.supportsCredentials configuration parameter.

The Java CORS filter itself doesn't access the cookie headers in any way, nor does it interface to the JSESSIONID.

So, to sum up, both the calling script on the browser side as well as the CORS Filter on the server side must expressly have the credentials flag enabled for cookies to pass through.

There is a snag however and it has to do with Internet Explorer. Its XDomainRequest implementation of CORS doesn't allow cookies to be passed at all, for security reasons says Microsoft. Which is probably a good thing. So if you wish to achieve wider browser support for your cross-domain application or service you will have to use an alternative mean to cookies for storing session IDs, such as passing the token as an URL parameter.

Allowing HTTP basic authentication

If your web server requires HTTP basic authentication to process requests you need to tell CORS aware browsers to let Authorization headers through, else the browser will not send them and authentication will fail.

To do that add the Authorization header name to the list of supported headers (cors.supportedHeaders):


Allowing subdomains

If you wish to allow CORS requests to multiple subdomains in your domain, but for various reasons cannot list them in the filter configuration, set the cors.allowSubdomains parameter to true.

For example, if the explicitly allowed origin is and the subdomains setting is on, then all of the following subdomain origins will be automatically allowed too:

Note that for a subdomain to be allowed, both its scheme (http or https) and its suffix (top domain host name + optional IP address) must match.

This feature was contributed in version 1.4.

HTTP caching / CDN support

CORS Filter 1.9.2 added support for the Vary header to prevent erroneous caching of CORS response headers.

Read the full discussion is at

Asynchronous servlet processing

The Servlet 3.0 specification added support for asynchronous processing of requests which can greatly increase the throughput of Java web applications.

Asynchronuous processing requires the following line to the added to the CORS Filter declaration in the web.xml descriptor:


Automatic reconfiguration

A special variant of the CORS Filter is available which can automatically detect changes to the configuration file and reconfigure itself.

Stick the following declaration into your web.xml file to use CORS Filter variant:


This filter variant must be configured with an external Java properties file. The filter init-param style configuration will not work here as the web.xml file may not be modified at runtime.

The configuration file will be polled for changes every 20 seconds. If a change is detected the filter will automatically reload itself with the new configuration. If the new configuration is invalid an error message will be printed to the server log and the filter will continue operating with its previous intact settings.

To override this interval set the cors.configFilePollInterval system property.

For example, to set the poll interval to 5 seconds:


Spring Bean configuration

Somewhere in your Spring configuration files, you need to initialise the bean similar to this:

<bean id="corsFilter" class="com.myproject.filters.CorsSpringFilter" >
    <constructor-arg >
        <bean class="com.thetransactioncompany.cors.CORSConfiguration" >
	        <!-- Init the CORS filter via Spring so that properties can be extracted from anywhere-->
                    <prop key="cors.allowOrigin">${cors.allowOrigin}</prop>
                    <prop key="cors.allowSubdomains">${cors.allowSubdomains}</prop>
                    <prop key="cors.supportedHeaders">${cors.supportedHeaders}</prop>
                    <prop key="cors.exposedHeaders">${cors.exposedHeaders}</prop>
                    <prop key="cors.supportedMethods">${cors.supportedMethods}</prop>
                    <prop key="cors.supportsCredentials">${cors.supportsCredentials}</prop>
                    <prop key="cors.maxAge">${cors.maxAge}</prop>
                    <prop key="cors.tagRequests">${cors.tagRequests}</prop>

A Spring user still needs to provide a wrapping class along the lines of

public class CorsSpringFilter implements javax.servlet.Filter {
    static CORSFilter corsFilter;

    public CorsSpringFilter(CORSConfiguration corsConfiguration) throws ServletException {
        corsFilter = new CORSFilter(corsConfiguration);

    public CorsSpringFilter() {

    public void init(FilterConfig filterConfig) throws ServletException {


    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        corsFilter.doFilter(request, response, chain);

    public void destroy() {

Which can be configured for deployment in web.xml thus:


FireBug is your friend

The versatile FireBug add-on is an excellent mean for debugging cross-domain calls. Yes, that's another reason to get FireFox :-)

Firebug has an excellent network activity monitor which can be used to reveal the CORS-specific conversation between browser and server during a cross-domain XHR. This is great for understanding how the protocol works, particularly the behaviour of simple/actual vs. pre-flight CORS requests.

To observe a CORS request in action you need a relatively recent version of Firebug (e.g. 1.6). Click on the "Net" tab and then on the "XHR" tab, then launch your cross-domain request.

Firebug XHR
How to load the Firebug Network Monitor

For a simple/actual CORS request Firebug will then display the following headers:

Simple request
Debugging a simple/actual CORS request

Note the Origin header which the browser inserted to identify the domain from which the HTML page originated. The server checks the Origin value and responds accordingly, by either allowing or denying the request.

Simple request
Debugging a simple CORS response

If the server allowed the origin it replies with an Access-Control-Allow-Origin header that contains a verbatim copy of the Origin header value or * (meaning any origin). The server may also include optional CORS response headers, such as Access-Control-Allow-Credentials (to tell the browser that it accepts cookies) or Access-Control-Expose-Headers (to tell the browser which custom headers are safe to expose to the requesting script).

CORS also has the so-called preflight request which browsers can send using HTTP OPTIONS prior to the actual CORS request to query the CORS settings of a particular HTTP server, such as the supported HTTP methods, custom headers, etc.

How to test CORS requests with a single web server

How to simulate a cross-domain request if you have just a single HTTP server to play with: Create a host alias of your web server and reload the requesting page using the alias URL.