Bug 1521953 Comment 7 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on
(Hidden by Administrator)
Revision 1 by
on 
# Steps to reproduce
1. Create a simple API that returns value from the querystring 'name' field.
2. Configure API CORS to allow requests from 'http://Domain1.WebsiteHost1' and 'http://Domain2.WebsiteHost1'.
3. Configure API to include 'cache-control' response header.
4. Deploy API to 'http://ApiHost/api'.
5. Create a simple web page that submits an XHR request to the API, eg when a user clicks a button.
6. Deploy web page to 'http://Domain1.WebsiteHost1' and 'http://Domain2.WebsiteHost1'.
7. Open http://Domain1.WebsiteHost1 and http://Domain2.WebsiteHost1 in different browser tabs.
8. Trigger XHR request in 1st tab.
9. Trigger XHR request in 2nd tab.

## Expected result
At step 8, in http://Domain1.WebsiteHost1 tab, XHR request completes successfully and JavaScript can access response from the API.
At step 9, in http://Domain2.WebsiteHost1 tab, XHR request completes successfully and JavaScript can access response from the API.

## Actual result
At step 8, in http://Domain1.WebsiteHost1 tab, XHR request completes successfully and JavaScript can access response from the API.
At step 9, in http://Domain2.WebsiteHost1 tab, XHR request response is retrieved from cache. Console displays CORS error:
```
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://ApiHost/api/HttpTrigger1?name=World
(Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://Domain1.WebsiteHost1')
```


## Actual example
### Web pages
 * http://domain1.binarystore.com/
 * http://domain2.binarystore.com/

Each domain contains only a home page. Home pages are identical.


### API end-point
 * https://mozcorscachetestfunc.azurewebsites.net/api/HttpTrigger1

End-point reads 'name' querystring field and responds with "Hello, {name}". For example, `GET https://mozcorscachetestfunc.azurewebsites.net/api/HttpTrigger1?name=World` will return `Hello, World`.
HTTP response includes the `cache-control=public, max-age=600` header.

Browser version:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Back to Bug 1521953 Comment 7