Open Bug 1025582 Opened 11 years ago Updated 3 years ago

CORS request intermittently fails after refreshing page rapidly

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
30 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jpatapoff, Unassigned)

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release) Build ID: 20140605174243 Steps to reproduce: Using v30.0. Loading the page for the first time works fine. When refreshing fairly rapidly, the CORS request fails. To reproduce, you can use http://clyp.it/zhwuptos and refresh at a rate of approximately 110 BPM (beats per minute - I used http://www.all8.com/tools/bpm.htm to figure this out) When refreshing much faster or slower than this, I'm unable to reproduce. When the CORS request fails, you will be redirected to /error. Actual results: I'm also able to reproduce this issue locally. Using Fiddler, I saw the following requests issued in the following order: 1) GET http://localhost.com:57892/ejt0dvae ---> 200 OK 2) OPTIONS http://api.localhost.com:57892/ejt0dvae/playlist Request: Host: api.localhost.com:57892 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://localhost.com:57892 Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Response: HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/8.0 Set-Cookie: TmpId=fc8748b791d94342875c920f366e1bd6; domain=.localhost.com; expires=Fri, 15-Jun-2114 02:07:24 GMT; path=/ Access-Control-Allow-Origin: http://localhost.com:57892 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: authorization X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcSlBhdGFwb2ZmXERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTJcTmV3UHJvamVjdHNcQXVkaW91clxBUElcZWp0MGR2YWVccGxheWxpc3Q=?= Date: Sun, 15 Jun 2014 02:07:24 GMT Content-Length: 0 3) OPTIONS http://api.localhost.com:57892/ejt0dvae/playlist HTTP/1.1 Request: Host: api.localhost.com:57892 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://localhost.com:57892 Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization Connection: keep-alive Response: HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/8.0 Set-Cookie: TmpId=ccd040927eec478c91a98b0453301541; domain=.localhost.com; expires=Fri, 15-Jun-2114 02:07:24 GMT; path=/ Access-Control-Allow-Origin: http://localhost.com:57892 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: authorization X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcSlBhdGFwb2ZmXERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTJcTmV3UHJvamVjdHNcQXVkaW91clxBUElcZWp0MGR2YWVccGxheWxpc3Q=?= Date: Sun, 15 Jun 2014 02:07:24 GMT Content-Length: 0 4) GET http://localhost.com:57892/error ---> 200 OK This is where the ajax request fails, and I redirect to the error page. 5) GET http://api.localhost.com:57892/ejt0dvae/playlist Request: Host: api.localhost.com:57892 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Bearer {Token removed} Referer: http://localhost.com:57892/ejt0dvae Origin: http://localhost.com:57892 Cookie: TmpId=39ffac99c2904fd2ba4e44e6aa72ab1d; fbm_155900894616754=base_domain=.localhost.com Connection: keep-alive Response: HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.0 Access-Control-Allow-Origin: http://localhost.com:57892 Access-Control-Allow-Credentials: true X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcSlBhdGFwb2ZmXERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTJcTmV3UHJvamVjdHNcQXVkaW91clxBUElcZWp0MGR2YWVccGxheWxpc3Q=?= Date: Sun, 15 Jun 2014 02:07:24 GMT Content-Length: 501 {"PlaylistId":"uclcet12","AudioFiles":[{"Token":null,"Status":"Public","AudioFileId":"ejt0dvae","Title":"smallFile","Description":null,"Duration":0.131,"Url":"http://localhost.com:57892/ejt0dvae","Mp3Url":"http://adev.clyp.it/ejt0dvae.mp3","SecureMp3Url":"https://s3.amazonaws.com/adev.clyp.it/ejt0dvae.mp3","OggUrl":"http://adev.clyp.it/ejt0dvae.ogg","SecureOggUrl":"https://s3.amazonaws.com/adev.clyp.it/ejt0dvae.ogg","Longitude":null,"Latitude":null}],"Modifiable":true,"ContentAdministrator":true} I believe I'm handling all of the CORS requirements correctly here. The headers on the request and response side both look good to me. It's hard to read the exact timing here, but it's interesting that the call to /error was executed before the call to /ejt0dvae/playlist. It's also interesting that OPTIONS was called twice. I've also noticed that this is not unique to calls to my API. I intermittently get the following in the console: (From the audio file player page I linked to above) Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://themes.googleusercontent.com/static/fonts/sourcesanspro/v7/toadOcfmlt9b38dHJxOBGFkQc6VGVFSmCnC_l7QZG60.woff. This can be fixed by moving the resource to the same domain or enabling CORS. Expected results: The CORS request should have succeeded.
Component: Security → DOM: Security
Probably that got fixed by ::AsyncOpen2() changes [Tracking Bug 1182535], but we need to investigate.
Whiteboard: [domsecurity-backlog]
Kamil, Matt, can someone test that please?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
QA Contact: kjozwiak
Reproduced the issue using the following build with the website mentioned in comment #0: * https://archive.mozilla.org/pub/firefox/releases/30.0/win32/en-US/ Received the following error messages via the browser console: * Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.clyp.it/zhwuptos/playlist. This can be fixed by moving the resource to the same domain or enabling CORS. * Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.clyp.it/zhwuptos/comments. This can be fixed by moving the resource to the same domain or enabling CORS. * Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://soundwave.clyp.it/zhwuptos. This can be fixed by moving the resource to the same domain or enabling CORS. Used the following builds for verification: * https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-15-03-02-30-mozilla-central/ * https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-13-00-40-12-mozilla-aurora/ * https://archive.mozilla.org/pub/firefox/candidates/46.0b2-candidates/build2/win32/en-US/ * https://archive.mozilla.org/pub/firefox/releases/45.0/win32/en-US/ Results while using Windows 10 x64 VM: * fx48.0a1 - PASSED (no cross-origin error message) * fx47.0a2 - PASSED (no cross-origin error message) * fx46.0b2 - PASSED (no cross-origin error message) * fx45.0 - PASSED (no cross-origin error message) Chris, I reproduced the original issue using fx30.0 but I couldn't reproduce the problem via fx48.0a1, fx47.0a2, fx46.0b2 and fx45.0. However, while going through the test case using fx45.0, I noticed several error messages appearing under the browser console [1]. These messages only appeared under fx45.0. The other thing I've noticed is that once you reach the /error page after refreshing several times, you'll receive the following errors via the browser console: * mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create knockout-3.4.0.js:9:449 * mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create knockout-3.4.0.js:9:449 I'm not sure if these are error messages in the browser console are critical or random non-trivial errors. [1] https://pastebin.mozilla.org/8863786
Flags: needinfo?(mwobensmith)
Flags: needinfo?(mozilla)
Flags: needinfo?(kjozwiak)
Thanks Kamil - so this bug needs an engineer; let's just keep it in the backlog queue for now.
Flags: needinfo?(mozilla)

I believe I'm suffering from the same issue. I'm working on a bit of JavaScript which makes repeated and fast requests to another server (a few hundred requests in a row, 500-750ms apart) and I get intermittant requests blocked with the console saying it's because of CORS. The vast majority work fine.

I don't have the same issue in Chrome, Brave or (chromium based) Edge.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.