GWT Upload on Google Appengine - cross site protection

440 views Asked by At

I want to implement a file upload for an GWT application running on google app engine. I used GWTUpload, but get the following error if I try to upload a file:

<stdout>: 2015-06-14 17:50:35 ERROR UploadServlet:70 - checkCORS error Origin: http://myApp.appspot.com does not match:^$

I looked into the UploadServlet and there is actually a check on the Origin againg "^$". I do not quite what this regex matches "^" seems to be the start of the String and "$" the end of it. But is seems to match only against an empty String?

  private boolean checkCORS(HttpServletRequest request, HttpServletResponse response) {
    String origin = request.getHeader("Origin");
    if (origin != null && origin.matches(corsDomainsRegex)) {
      // Maybe the user has used this domain before and has a session-cookie, we delete it
      //   Cookie c  = new Cookie("JSESSIONID", "");
      //   c.setMaxAge(0);
      //   response.addCookie(c);
      // All doXX methods should set these header
      response.addHeader("Access-Control-Allow-Origin", origin);
      response.addHeader("Access-Control-Allow-Credentials", "true");
      return true;
    } else if (origin != null) {
      logger.error("checkCORS error Origin: " + origin + " does not match:" + corsDomainsRegex);
    }
    return false;
  }

I can not set "corsDomainsRegex" or override the method checkCORS() since they are both are private. Whats the actual problem here? How can I solve this?

1

There are 1 answers

0
Steven Veltema On BEST ANSWER

This is a hardwired check to prevent people uploading files via other domain names. If you don't need this, you can change the corsDomainsRegex by adding the following to your web.xml (or whatever domain you wish to check against).

<context-param>
    <!-- match all domains -->
    <param-name>corsDomainsRegex</param-name>
    <param-value>.*</param-value>
</context-param>