documentation/9.3.28.v20191105/cross-origin-filter.html - www.eclipse.org/jetty - Git at Google

 <html><head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Cross Origin Filter</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="advanced-extras.html" title="Chapter&nbsp;18.&nbsp;Provided Servlets, Filters, and Handlers"><link rel="prev" href="gzip-filter.html" title="Gzip Handler"><link rel="next" href="resource-handler.html" title="Resource Handler"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
       hljs.initHighlightingOnLoad();
     </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
             Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Cross Origin Filter</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="gzip-filter.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;18.&nbsp;Provided Servlets, Filters, and Handlers<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="resource-handler.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
           <span class="website">www.webtide.com</span></a></h5><p>
  private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
  scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
       </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="cross-origin-filter"></a>Cross Origin Filter</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-filter-metadata">Info</a></span></dt><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-filter-usage">Usage</a></span></dt><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-setup">Setup</a></span></dt><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-config">Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-filter-metadata"></a>Info</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">Classname: <code class="literal">org.eclipse.jetty.servlets.CrossOriginFilter</code></li><li class="listitem">Maven Artifact: org.eclipse.jetty:jetty-servlets</li><li class="listitem">Javadoc: <a class="link" href="http://www.eclipse.org/jetty/javadoc/9.3.28.v20191105/org/eclipse/jetty/servlets/CrossOriginFilter.html" target="_top">http://www.eclipse.org/jetty/javadoc/9.3.28.v20191105/org/eclipse/jetty/servlets/CrossOriginFilter.html</a></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-filter-usage"></a>Usage</h3></div></div></div><p>HTTP requests made from a script are subject to well known restrictions, the most prominent being the same domain policy.</p><p>Firefox 3.5 introduced support for W3C&#8217;s Access Control for Cross-Site Requests specification, which requires a compliant client (for example, Firefox 3.5) and a compliant server (via this servlet filter).</p><p>This filter implements the required bits to support the server-side contract of the specification, and will allow a compliant client to perform cross-domain requests via the standard XMLHttpRequest object.
 If the client does not issue a compliant cross-domain request, this filter does nothing, and its overhead is the check of the presence of the cross-domain HTTP header.</p><p>This is extremely useful in CometD web applications where it is now possible to perform cross-domain long polling without using script injection (also known as the JSONP transport), and therefore removing all the downsides that the JSONP transport has (it&#8217;s chattier, does not react quickly to failures, has a message size limit, uses GET instead of POST, etc.).</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-setup"></a>Setup</h3></div></div></div><p>You will need to put the <code class="literal">jetty-servlets.jar</code> file onto your classpath.
 If you are creating a webapp, ensure that this jar is included in your webapp&#8217;s <code class="literal">WEB-INF/lib</code>.
 Or, if you are running Jetty embedded you will need to ensure that <code class="literal">jetty-servlets.jar</code> is on the execution classpath.
 You can download the <code class="literal">jetty-servlets.jar</code> from the Maven Central Repository at <a class="link" href="http://central.maven.org/maven2/org/eclipse/jetty/jetty-servlets/" target="_top">http://central.maven.org/maven2/org/eclipse/jetty/jetty-servlets/</a>.
 It is also available as part of the Jetty distribution in the <code class="literal">$JETTY_HOME/lib</code> directory.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-config"></a>Configuration</h3></div></div></div><p>This is a regular servlet filter that must be configured in <code class="literal">web.xml</code>.</p><p>It supports the following configuration parameters:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">allowedOrigins</span></dt><dd>A comma separated list of origins that are allowed to access the resources.
 Default value is: * (all origins)</dd><dt><span class="term">allowedMethods</span></dt><dd>A comma separated list of HTTP methods that are allowed to be used when accessing the resources.
 Default value is: GET,POST,HEAD</dd><dt><span class="term">allowedHeaders</span></dt><dd>A comma separated list of HTTP headers that are allowed to be specified when accessing the resources.
 Default value is: X-Requested-With,Content-Type,Accept,Origin</dd><dt><span class="term">allowCredentials</span></dt><dd>A boolean indicating if the resource allows requests with credentials.
 Default value is: true</dd><dt><span class="term">preflightMaxAge</span></dt><dd>The number of seconds that preflight requests can be cached by the client.
 Default value is 1800 seconds (30 minutes)</dd><dt><span class="term">chainPreflight</span></dt><dd>If true preflight requests are chained to their target resource for normal handling (as an OPTION request).
 Otherwise the filter will response to the preflight.
 Default is true.</dd><dt><span class="term">exposedHeaders</span></dt><dd>A comma separated list of HTTP headers that are allowed to be exposed on the client.
 Default value is the empty list.</dd></dl></div><p>A typical configuration could be:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>&lt;web-app&gt;

     &lt;filter&gt;
         &lt;filter-name&gt;cross-origin&lt;/filter-name&gt;
         &lt;filter-class&gt;org.eclipse.jetty.servlets.CrossOriginFilter&lt;/filter-class&gt;
     &lt;/filter&gt;
     &lt;filter-mapping&gt;
         &lt;filter-name&gt;cross-origin&lt;/filter-name&gt;
         &lt;url-pattern&gt;/cometd/*&lt;/url-pattern&gt;
     &lt;/filter-mapping&gt;

 &lt;/web-app&gt;</code></pre></div></div><script type="text/javascript">
       SyntaxHighlighter.all()
     </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gzip-filter.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="advanced-extras.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="resource-handler.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Gzip Handler&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Resource Handler</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
             See an error or something missing?
             <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
                 <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html>
	<html><head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>Cross Origin Filter</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="advanced-extras.html" title="Chapter 18. Provided Servlets, Filters, and Handlers"><link rel="prev" href="gzip-filter.html" title="Gzip Handler"><link rel="next" href="resource-handler.html" title="Resource Handler"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
	hljs.initHighlightingOnLoad();
	</script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
	Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Cross Origin Filter</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="gzip-filter.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 18. Provided Servlets, Filters, and Handlers<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="resource-handler.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
	<span class="website">www.webtide.com</span></a></h5><p>
	private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
	scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
	</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="cross-origin-filter"></a>Cross Origin Filter</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-filter-metadata">Info</a></span></dt><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-filter-usage">Usage</a></span></dt><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-setup">Setup</a></span></dt><dt><span class="section"><a href="cross-origin-filter.html#cross-origin-config">Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-filter-metadata"></a>Info</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">Classname: <code class="literal">org.eclipse.jetty.servlets.CrossOriginFilter</code></li><li class="listitem">Maven Artifact: org.eclipse.jetty:jetty-servlets</li><li class="listitem">Javadoc: <a class="link" href="http://www.eclipse.org/jetty/javadoc/9.3.28.v20191105/org/eclipse/jetty/servlets/CrossOriginFilter.html" target="_top">http://www.eclipse.org/jetty/javadoc/9.3.28.v20191105/org/eclipse/jetty/servlets/CrossOriginFilter.html</a></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-filter-usage"></a>Usage</h3></div></div></div><p>HTTP requests made from a script are subject to well known restrictions, the most prominent being the same domain policy.</p><p>Firefox 3.5 introduced support for W3C’s Access Control for Cross-Site Requests specification, which requires a compliant client (for example, Firefox 3.5) and a compliant server (via this servlet filter).</p><p>This filter implements the required bits to support the server-side contract of the specification, and will allow a compliant client to perform cross-domain requests via the standard XMLHttpRequest object.
	If the client does not issue a compliant cross-domain request, this filter does nothing, and its overhead is the check of the presence of the cross-domain HTTP header.</p><p>This is extremely useful in CometD web applications where it is now possible to perform cross-domain long polling without using script injection (also known as the JSONP transport), and therefore removing all the downsides that the JSONP transport has (it’s chattier, does not react quickly to failures, has a message size limit, uses GET instead of POST, etc.).</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-setup"></a>Setup</h3></div></div></div><p>You will need to put the <code class="literal">jetty-servlets.jar</code> file onto your classpath.
	If you are creating a webapp, ensure that this jar is included in your webapp’s <code class="literal">WEB-INF/lib</code>.
	Or, if you are running Jetty embedded you will need to ensure that <code class="literal">jetty-servlets.jar</code> is on the execution classpath.
	You can download the <code class="literal">jetty-servlets.jar</code> from the Maven Central Repository at <a class="link" href="http://central.maven.org/maven2/org/eclipse/jetty/jetty-servlets/" target="_top">http://central.maven.org/maven2/org/eclipse/jetty/jetty-servlets/</a>.
	It is also available as part of the Jetty distribution in the <code class="literal">$JETTY_HOME/lib</code> directory.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="cross-origin-config"></a>Configuration</h3></div></div></div><p>This is a regular servlet filter that must be configured in <code class="literal">web.xml</code>.</p><p>It supports the following configuration parameters:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">allowedOrigins</span></dt><dd>A comma separated list of origins that are allowed to access the resources.
	Default value is: * (all origins)</dd><dt><span class="term">allowedMethods</span></dt><dd>A comma separated list of HTTP methods that are allowed to be used when accessing the resources.
	Default value is: GET,POST,HEAD</dd><dt><span class="term">allowedHeaders</span></dt><dd>A comma separated list of HTTP headers that are allowed to be specified when accessing the resources.
	Default value is: X-Requested-With,Content-Type,Accept,Origin</dd><dt><span class="term">allowCredentials</span></dt><dd>A boolean indicating if the resource allows requests with credentials.
	Default value is: true</dd><dt><span class="term">preflightMaxAge</span></dt><dd>The number of seconds that preflight requests can be cached by the client.
	Default value is 1800 seconds (30 minutes)</dd><dt><span class="term">chainPreflight</span></dt><dd>If true preflight requests are chained to their target resource for normal handling (as an OPTION request).
	Otherwise the filter will response to the preflight.
	Default is true.</dd><dt><span class="term">exposedHeaders</span></dt><dd>A comma separated list of HTTP headers that are allowed to be exposed on the client.
	Default value is the empty list.</dd></dl></div><p>A typical configuration could be:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code><web-app>

	<filter>
	<filter-name>cross-origin</filter-name>
	<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
	</filter>
	<filter-mapping>
	<filter-name>cross-origin</filter-name>
	<url-pattern>/cometd/*</url-pattern>
	</filter-mapping>

	</web-app></code></pre></div></div><script type="text/javascript">
	SyntaxHighlighter.all()
	</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gzip-filter.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="advanced-extras.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="resource-handler.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Gzip Handler </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Resource Handler</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
	See an error or something missing?
	<span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
	<span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html>