Why does CORS enabling in Geoserver does not work?

Question

I' am trying to rewrite my programmed WebGis (OpenLayers 6.14.1) to node.js to serve it. I am very new to this issue. Actually, the geodata is stored in a POSTGIS-database, served via Geoserver in local Tomcat.

In the Tomcat 9.0/webapps/geoserver/WEB-INF/web.xml file, I have uncommented the two parts for enabling CORS.

    <filter>
      <filter-name>cross-origin</filter-name>
      <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
      <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
      </init-param>
      <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
      </init-param>
      <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>*</param-value>
      </init-param>
    </filter>

and

    <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    

In MS Edge and Chrome, I get directly the CORS errors and my data isn't shown:

Access to image at 'http://localhost:8082/webgis/Daten/Symbole/GUI/Legende.svg' from origin 'http://website.de:1234' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`

Access to fetch at 'http://localhost:8082/geoserver/crowdnew/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=crowdnew%3Acrowdmapping&outputFormat=application%2Fjson' from origin 'http://website.de:1234' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.

In Firefox, data is shown (with and without active CORS-disabling extension). But if I send a POST request to the server (adding new data to the dataset inside the application), I get this error:

Code for request:

var req1 = new XMLHttpRequest();
    
    req1.open("POST", 'http:/localhost:8082/geoserver/wfs', false);
    
    req1.setRequestHeader('User-Agent', 'XMLHTTP/1.0');
    req1.setRequestHeader('Content-type', 'text/xml');
    req1.setRequestHeader('Access-Control-Allow-Origin', '*');
    
    
    req1.onreadystatechange = function() {
        if (req1.readyState != 4) return;
        if (req1.status != 200 && req1.status != 304) {
            alert('HTTP error ' + req1.status);
            return;
        }
    }

    if (req1.readyState == 4) return;
        req1.send(postData1);

XHR POST http://website.de:1234/localhost:8082/geoserver/wfs
[HTTP/1.1 405 Method Not Allowed 65ms]

When I click on this information I receive an answer with:

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Content-Type
Access-Control-Allow-Methods: GET, HEAD, PUT, PATCH, POST, DELETE
Access-Control-Allow-Origin:*
Allow: GET, HEAD

I've read CORS - Tomcat - Geoserver before, but when I add the mentioned code to the /conf/web.xml, the data isn't even shown in Firefox.

Does anybody know what to do?

Answer 1

1st the Not Allowed error is probably because you haven't authenticated, by default GeoServer requires authentication before users can alter the underlying data.

The CORS issue is to do with private networks and the solution given in this answer is to add a Access-Control-Allow-Private-Network header or server your client pages with HTTPS (or turn off security)