CORS filters choices

Have you ever had to workaround Javascript’s Same origin policy and felt the need to take a shower with an industrial grade disinfectant immediately after? Well fear no more, as HTML5 to the rescue – CORS - Cross Origin Resource Sharing. Almost every conceivable hack that web developers used to do is being standardized as a feature spec in HTML5 and I thought CORS was a good feature. While there is good merit in the same origin policy, with the ubiquity of data vending servers that are being re-used in other data vending servers, there need to be a straight-forward solution to transitive data sharing. The workarounds of setting document.domain property, using JSONP or using crossdomain.xml (flex only) were not seamless. By making this a HTML5 spec and conveying it by means of headers, there is now, a definite method in the madness. This tutorial does a very good job of explaining nuances related to preflight, credentials (cookies) and caching policies along with all its usages via JQuery. The obvious concern of security has been aptly addressed in the following snip from the tutorial.

A WORD ABOUT SECURITY

While CORS lays the groundwork for making cross-domain requests, the CORS headers are not a substitute for sound security practices. You shouldn’t rely on the CORS header for securing resources on your site. Use the CORS headers to give the browser directions on cross-domain access, but use some other security mechanism, such as cookies or OAuth2, if you need additional security restrictions on your content.

What was missing was a good server side filter that will enable this for a typical java webapp. While the spec is pretty straight forward for the vanilla use cases, it quickly gets involved once we get into the details. There are two alternatives out there that I could find:

1. com.thetransactioncompany.cors.CORSFilter
1. Pros:
1. Hugely popular
2. Additional support for allowing subdomains in allow list
3. Frequently updated for latest specs and bug fixes
4. Liberal license (Apache)
2. Cons:
1. Not from a stable house
2. org.eclipse.jetty.servlets.CrossOriginFilter
1. Pros:
1. From Jetty
2. Liberal license (Eclipse)
2. Cons:
1. Not very popular
2. May seem somewhat unintuitive if we use jetty related artifacts in a tomcat container environment
3. Not aggressively updated

So, overall, it seems that the CORS filter from dzhuvinov is the winner, but would be happy to know if others feel differently.

References:

• http://en.wikipedia.org/wiki/Same_origin_policy
• http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• http://www.w3.org/TR/cors/
• http://www.html5rocks.com/en/tutorials/cors/
• http://software.dzhuvinov.com/cors-filter-configuration.html
• http://wiki.eclipse.org/Jetty/Feature/Cross_Origin_Filter