eBay/cors-filter eBay/cors-filter

  • This repository has been archived on 16/Jul/2019
  • Stars
    star
    231
  • Rank 169,691 (Top 4 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created about 11 years ago
  • Updated about 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
eBay/cors-filter
github

eBay

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CORS (Cross Origin Resource Sharing) is a mechanism supported by W3C to enable cross origin requests in web-browsers. CORS requires support from both browser and server to work. This is a Java servlet filter implementation of server-side CORS for web containers such as Apache Tomcat.

CORS Filter

Build Status

Introduction

CORS (Cross Origin Resource Sharing) is a mechanism to enable cross origin requests. W3C defines the standards that enable this mechanism. CORS requires support from both the server and the browser in order to work. This is a Java Servlet Filter implementation of server-side CORS for Java web containers such as Apache Tomcat. Salient features:

  • Easy to integrate and use - enable CORS capability with a few lines in your web.xml!
  • Protects against CRLF injection / response splitting attacks.

Here's a link to a demo application running on google app engine: http://corsdemo.appspot.com/

Quick Start

Include cors-filter-x.x.x.jar in your web-application's classpath. Then, add the filter configuration to your web.xml. Example:

  <filter>
    <filter-name>CORS Filter</filter-name>
    <filter-class>org.ebaysf.web.cors.CORSFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>CORS Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Using CORS Filter in Your Maven Project

Add the cors-filter as a dependency:

  <dependency>
    <groupId>org.ebaysf.web</groupId>
    <artifactId>cors-filter</artifactId>
    <version>1.0.0</version>
  </dependency>

And, add the filter configuration in web.xml as demonstrated in the Quick Start section

Configuring CORS Filter

The minimal configuration required to use CORS Filter is:

  <filter>
    <filter-name>CORS Filter</filter-name>
    <filter-class>org.ebaysf.web.cors.CORSFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>CORS Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

The table below lists various parameters that can be used to configure CORS Filter. If a parameter is not provided a default (documented below) is used.

param-name description
cors.allowed.origins A list of origins that are allowed to access the resource. A '*' can be specified to enable access to resource from any origin. Otherwise, a whitelist of comma separated origins can be provided. Ex: http://www.w3.org, https://www.apache.org. Defaults: * (Any origin is allowed to access the resource).
cors.allowed.methods A comma separated list of HTTP methods that can be used to access the resource, using cross-origin requests. These are the methods which will also be included as part of 'Access-Control-Allow-Methods' header in a pre-flight response. Ex: GET,POST. Defaults: GET,POST,HEAD,OPTIONS
cors.allowed.headers A comma separated list of request headers that can be used when making an actual request. These header will also be returned as part of 'Access-Control-Allow-Headers' header in a pre-flight response. Ex: Origin,Accept. Defaults: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers
cors.exposed.headers A comma separated list of headers other than the simple response headers that browsers are allowed to access. These are the headers which will also be included as part of 'Access-Control-Expose-Headers' header in the pre-flight response. Ex: X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG. Default: None
cors.preflight.maxage The amount of seconds, browser is allowed to cache the result of the pre-flight request. This will be included as part of 'Access-Control-Max-Age' header in the pre-flight response. A negative value will prevent CORS Filter from adding this response header from pre-flight response. Defaults: 1800
cors.support.credentials A flag that indicates whether the resource supports user credentials. This flag is exposed as part of 'Access-Control-Allow-Credentials' header in a pre-flight response. It helps browser determine whether or not an actual request can be made using credentials. Defaults: true
cors.logging.enabled A flag to control logging to container logs. Defaults: false
cors.request.decorate A flag to control if the request should be decorated or not. Defaults: true

To override filter configuration defaults, specify them in the init-params while configuring the filter in web.xml. Example:

  <filter>
    <filter-name>CORS Filter</filter-name>
    <filter-class>org.ebaysf.web.cors.CORSFilter</filter-class>
    <init-param>
      <description>A comma separated list of allowed origins. Note: An '*' cannot be used for an allowed origin when using credentials.</description>
      <param-name>cors.allowed.origins</param-name>
      <param-value>http://localhost:8080,http://localhost.ebay.com:8080</param-value>
    </init-param>
    <init-param>
      <description>A comma separated list of HTTP verbs, using which a CORS request can be made.</description>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
      <description>A comma separated list of allowed headers when making a non simple CORS request.</description>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
      <description>A comma separated list non-standard response headers that will be exposed to XHR2 object.</description>
      <param-name>cors.exposed.headers</param-name>
      <param-value></param-value>
    </init-param>
    <init-param>
      <description>A flag that suggests if CORS is supported with cookies</description>
      <param-name>cors.support.credentials</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <description>A flag to control logging</description>
      <param-name>cors.logging.enabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <description>Indicates how long (in seconds) the results of a preflight request can be cached in a preflight result cache.</description>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>10</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CORS Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Information added by CORS Filter about request in HttpServletRequest object

CORS Filter adds information about a CORS request, in the HttpServletRequest object, for consumption downstream. Following attributes are set:

  • cors.isCorsRequest: Flag to determine if a request is a CORS request.
  • cors.request.origin: Origin URL.
  • cors.request.type: Type of CORS request. Possible values:
    • SIMPLE: A request which is not preceded by a pre-flight request.
    • ACTUAL: A request which is preceded by a pre-flight request.
    • PRE_FLIGHT: A pre-flight request.
    • NOT_CORS: A normal same-origin request.
    • INVALID_CORS: A cross-origin request, which is invalid.
  • cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for a pre-flight request.

To prevent CORS Filter from setting above attributes, set 'cors.request.decorate' init-param to false.

Background on CORS

A cross origin request, is a HTTP request for a resource that serves from a different origin than the origin of the application that is requesting the resource. For example, a request originating from a page served from http://www.ebay.com, to a resource on http://www.google.com.

Same origin policy in browsers prevents XMLHttpRequest to make a request to a resource, on a origin that's different from the source origin.

By enabling CORS support on server side, a resource can support cross-origin requests in a way that's supported by W3C standards. For more details, please refer: W3C CORS

How it works

CORS Flowchart

References

Here's a list of good resources to start with CORS:

A list of good security resources around CORS:

More Repositories

1

NMessenger

A fast, lightweight messenger component built on AsyncDisplaykit and written in Swift
Swift
2,424
star
2

nice-modal-react

A modal state manager for React.
TypeScript
1,949
star
3

akutan

A distributed knowledge graph store
Go
1,656
star
4

tsv-utils

eBay's TSV Utilities: Command line tools for large, tabular data files. Filtering, statistics, sampling, joins and more.
D
1,413
star
5

bayesian-belief-networks

Pythonic Bayesian Belief Network Package, supporting creation of and exact inference on Bayesian Belief Networks specified as pure python functions.
Python
1,122
star
6

NuRaft

C++ implementation of Raft core logic as a replication library
C++
966
star
7

restcommander

Fast Parallel Async HTTP client as a Service to monitor and manage 10,000 web servers. (Java+Akka)
Java
899
star
8

parallec

Fast Parallel Async HTTP/SSH/TCP/UDP/Ping Client Java Library. Aggregate 100,000 APIs & send anywhere in 20 lines of code. Ping/HTTP Calls 8000 servers in 12 seconds. (Akka) www.parallec.io
Java
810
star
9

HeadGazeLib

A library to empower iOS app control through head gaze without a finger touch
Swift
754
star
10

Sequence-Semantic-Embedding

Tools and recipes to train deep learning models and build services for NLP tasks such as text classification, semantic search ranking and recall fetching, cross-lingual information retrieval, and question answering etc.
Python
459
star
11

modanet

ModaNet: A large-scale street fashion dataset with polygon annotations
327
star
12

flutter_glove_box

Various eBay tools for Flutter development
Dart
317
star
13

Neutrino

Neutrino is a software load balancer(SLB)
Scala
306
star
14

KPRN

Reasoning Over Knowledge Graph Paths for Recommendation
Lua
279
star
15

UAF

UAF - Universal Authentication Framework
Java
276
star
16

griffin

Model driven data quality service
JavaScript
240
star
17

Jungle

An embedded key-value store library specialized for building state machine and log store
C++
219
star
18

ebayui-core

Collection of Marko widgets; considered to be the core building blocks for all eBay components, pages & apps
TypeScript
210
star
19

sbom-scorecard

Generate a score for your sbom to understand if it will actually be useful.
Go
209
star
20

jsonpipe

A lightweight AJAX client for chunked JSON responses
JavaScript
204
star
21

ebay-font

A small utility to efficiently load custom web fonts
JavaScript
175
star
22

skin

Pure CSS framework designed & developed by eBay for a branded, e-commerce marketplace.
JavaScript
171
star
23

accelerator

The Accelerator is a tool for fast and reproducible processing of large amounts of data.
Python
150
star
24

firebase-remote-config-monitor

Monitors firebase remote config values, posting changes to slack
JavaScript
136
star
25

maxDNN

High Efficiency Convolution Kernel for Maxwell GPU Architecture
C++
132
star
26

go-ovn

A Go library for OVN Northbound/Southbound DB access using native OVSDB protocol
Go
108
star
27

Gringofts

Gringofts makes it easy to build a replicated, fault-tolerant, high throughput and distributed event-sourced system.
C++
102
star
28

parallec-samples

Single file examples and ready-to-use servers show how to use parallec.io library. Examples to aggregate APIs and publish to Elastic Search and Kafka, and many more. www.parallec.io
Java
92
star
29

userscript-proxy

HTTP proxy to inject scripts and stylesheets into existing sites.
JavaScript
84
star
30

xcelite

Java
81
star
31

mindpatterns

HTML Accessibility Pattern Examples
HTML
79
star
32

embedded-druid

Java
75
star
33

figma-include-accessibility-annotations

Include is a tool built to make annotating for accessibility (a11y) easierβ€”easier for designers to spec and easier for developers to understand what is required.
JavaScript
73
star
34

RANSynCoders

Jupyter Notebook
72
star
35

ebay-oauth-python-client

Python OAuth SDK: Get OAuth tokens for eBay public APIs
Python
71
star
36

Design-Grid-Overlay

A Chrome extension to overlay a design grid on your web page; configurable to fit many design scenarios.
JavaScript
65
star
37

ebay-oauth-nodejs-client

πŸ”‘ Generate an OAuth token that can be used to call the eBay Developer REST APIs.
JavaScript
62
star
38

json-comparison

Powerful JSON comparison tool for identifying all the changes within JSON files
Java
60
star
39

bascomtask

Lightweight parallel Java tasks
Java
60
star
40

xFraud

Jupyter Notebook
60
star
41

DASTProxy

Java
57
star
42

jsonex

Java Object Serializer and Deserializer to JSON Format. Focuses on configuration friendliness, arbitrary object serialization and compact JSON format
Java
56
star
43

ebay-oauth-csharp-client

eBay OAuth C# Client Library
C#
54
star
44

nvidiagpubeat

nvidiagpubeat is an elastic beat that uses NVIDIA System Management Interface (nvidia-smi) to monitor NVIDIA GPU devices and can ingest metrics into Elastic search cluster, with support for both 6.x and 7.x versions of beats. nvidia-smi is a command line utility, based on top of the NVIDIA Management Library (NVML), intended to aid in the management and monitoring of NVIDIA GPU devices.
Go
53
star
45

ebay-oauth-java-client

eBay OAuth APIs client for Java
Java
48
star
46

nice-dag

nice-dag is a lightweight javascript library, which is used to present a DAG diagram.
TypeScript
47
star
47

SparkChamber

An event tracking framework for iOS
Swift
45
star
48

Winder

Winder is a simple state machine based on Quartz Scheduler. It helps to write multiple steps tasks on Quartz Scheduler. Winder derived from a state machine which is widly used in eBay Cloud. eBay Platform As A Service(PaaS) uses it to deploy software to hundreds of thousands virtual machines.
Java
45
star
49

AutoOpt

Automatic and Simultaneous Adjustment of Learning Rate and Momentum for Stochastic Gradient Descent
Python
44
star
50

GZinga

Java
43
star
51

YiDB

Java
43
star
52

collectbeat

Beats with discovery capabilities for environments like Kubernetes
Go
41
star
53

block-aggregator

C++
40
star
54

Jenkins-Pipeline-Utils

Global Jenkins Pipeline Library with common utilities.
Groovy
39
star
55

cassandra-river

Cassandra river for Elastic search.
Java
38
star
56

bsonpatch

A BSON implementation of RFC 6902 to compute the difference between two BSON documents
Java
38
star
57

arc

adaptive resources and components
JavaScript
35
star
58

regressr

A command line regression testing framework for testing HTTP services
Scala
34
star
59

ebashlib

A bash script battery which gathers several generic helper scripts for other repositories.
Shell
30
star
60

modshot

Takes screenshot of UI modules and compare with baselines using PhantomCSS
JavaScript
29
star
61

visual-html

Visual regression testing without the flakiness.
TypeScript
29
star
62

FeedSDK-Python

eBay Python Feed SDK - SDK for downloading large gzipped (tsv) item feed files and applying filters for curation
Python
29
star
63

accessibility-ruleset-runner

eBay Accessibility Ruleset Runner automates 20% of WCAG 2.0 AA recommendations, saving time on manual testing.
JavaScript
27
star
64

crossdomain-xhr

JavaScript
27
star
65

oink

REST based interface for PIG execution
Java
27
star
66

bonsai

open source version of the Bonsai library
Scala
26
star
67

ebayui-core-react

eBayUI React components
TypeScript
25
star
68

geosense

Self-contained jar to lookup timezone by lat+lon
Java
25
star
69

browser-telemetry

A Telemetry module for collecting errors, logs, metrics, uncaught exceptions etc on browser side.
JavaScript
25
star
70

oja

Lightweight Dependency Injection Framework for Node.JS Apps - Structure your application business logic
JavaScript
25
star
71

SketchSVG

Have icons in a Sketch file but don't want to manually extract and compress them as SVGs? Let our SketchSVG tool do it!
JavaScript
25
star
72

CustomRippleView

The Custom Ripple View library provides Android developers an easy way to customize and implement a Ripple Effect view.
Kotlin
24
star
73

FGrav

Dynamic Flame Graph Visualizations from raw data in your browser
JavaScript
24
star
74

nodash

Lightweight replacement for subset of Lodash
JavaScript
24
star
75

FeedSDK

Java SDK for downloading large gzipped (tsv) item feed files and applying filters for curation
Java
23
star
76

kube-credentials-plugin

A Jenkins plugin to store credentials in kubernetes
Java
21
star
77

releaser

A declarative API that syncs specs from git to kubernetes
Go
20
star
78

airflow-rest-api-plugin

A plugin of Apache Airflow that exposes REST endpoints for custom REST APIs.
Python
20
star
79

mtdtool

The Manual Test Demultiplexer is a desktop app (Mac and Windows) that provides an interface for driving manual testing on multiple physical devices.
Java
20
star
80

nice-form-react

A meta based form builder for React.
TypeScript
19
star
81

EBNObservable

A block-based Key-Value Observing (KVO) implementation with observable collections.
Objective-C
19
star
82

HomeStore

Storage Engine for block and key/value stores.
C++
19
star
83

skin-react

Skin components built with React (Typescript)
TypeScript
18
star
84

accelerator-project_skeleton

Python
18
star
85

taxonomy-sdk

An SDK designed to bring transparency to the rapid evolution of our aspects metadata for our partners.
Java
18
star
86

ebay-oauth-android-client

eBay OAuth Android Client library
Kotlin
17
star
87

wextracto

Python
17
star
88

myriad

Java
17
star
89

event-notification-nodejs-sdk

NodeJS SDK designed to simplify processing of eBay notifications.
JavaScript
17
star
90

TDD-Albums

A Hands-On Tutorial for iPhone Developers Learning TDD
17
star
91

fluid

Fluid Web Components
JavaScript
16
star
92

ostara

Java
16
star
93

lightning

Lightning is a Java based, super fast, multi-mode, asynchronous, and distributed URL execution engine from eBay
HTML
16
star
94

RTran

Road to Continous Upgrade
Scala
15
star
95

NautilusTelemetry

An iOS implementation of OpenTelemetry
Swift
15
star
96

hadoop-tsdb-connector

Java
15
star
97

Pine

Pine: Machine Learning Prediction As A Service
Scala
15
star
98

pynetforce

Network infrastructure automation service
Python
15
star
99

Vivid

A visual testing tool to compare two web pages visually and generate the pixel difference they have.
JavaScript
14
star
100

sisl

High Performance C++ data structures and utilities
C++
14
star