I think the CORS filter in Play does not work! I followed step by step as but somehow I always got HTTP-403 in the browser (Chrome and Firefox) in Ajax calls. Problem is I don't even get stacktrace on server side. I think DefaultHttpErrorHandler in the CORS filter somehow gulp that. In the response "Access-Control-Allow-Origin" header was missing so I just manually added that.

class Filters @Inject() (corsFilter: CORSFilter, log: LoggingFilter) extends HttpFilters {
  def filters = {
    // CORS filter does not work
    //Seq(corsFilter, log)
    Seq(log)
  }
}

This is the logging filter (Credit: Play! framework)

class LoggingFilter extends Filter {

  def apply(nextFilter: RequestHeader => Future[Result])(requestHeader: RequestHeader): Future[Result] = {

    val startTime = System.currentTimeMillis

    nextFilter(requestHeader).map { result =>

      val endTime = System.currentTimeMillis
      val requestTime = endTime - startTime

      Logger.info(s"${requestHeader.method} ${requestHeader.uri} " +
        s"took ${requestTime}ms and returned ${result.header.status}")

      result.withHeaders(
        "Request-Time" -> requestTime.toString,
        "Access-Control-Allow-Origin" -> "*"   // Added this header
      )
    }
  }
}

This will probably not solve the problem for the poster, but it solved the problem for me when I had the same symptoms, and I am posting it in case it can help others in the same situation.

I had actually misunderstood how CORS is working. I have two separate Play applications, one with a REST API and one with a web interface using the REST API. I followed the instructions in the documentation page mentioned in the question, but my mistake was that I did it on the web interface application. When I instead did it on the REST API application, it worked immediately.

I had the same problem while following the same documentation.

Problem is with this CORS filter that you have used:

allowedOrigins = ["*","http://localhost"]

If you want to allow all origins use:

allowedOrigins = null

Follow the same for allowedHttpMethods

This is as per the documentation

To quote:

The allowed origins. If null, all origins are allowed.

allowedOrigins = null

Hope this helps!

filters = "filters.Filters"


play.filters {

  cors {

    # The allowed origins. If null, all origins are allowed.
    allowedOrigins = null

    # The allowed HTTP methods. If null, all methods are allowed
    allowedHttpMethods = null

    # The allowed HTTP headers. If null, all  headers are allowed.
    allowedHttpHeaders = null
  }

}



public class Filters implements HttpFilters {

    @Inject
    private CORSFilter corsFilter;

    public EssentialFilter[] filters() {
        return new EssentialFilter[] {
            corsFilter.asJava()
        };
    }

}

Does it work in Firefox? Chrome has some restrictions on running Ajax from local files, e.g., see this link. If it is Chrome-specific, you can start up Chrome with a command-line switch to remove the restriction.

I was experiencing a similar issue, I was getting 403's on requests. I solved a the problem by removing the:

allowedHttpHeaders=["Accept"] 

that they use in their example configuration. I'm still not clear what the security implications of that are, however, so YMMV.