1153854 - CORS fails for same URL on second request

Status: RESOLVED INCOMPLETE

(Core :: DOM: Security, defect)

Description

[coolg54321]

Attachment: cors.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36

Steps to reproduce:

Made two Ajax POST request to the same URL which has CORS enabled with different payloads.

Request headers for the both the requests:

Accept	: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding	: gzip, deflate
Accept-Language	: en-US,en;q=0.5
Host	: subdomain.basedomain.com
Origin	: http://subdomain.basedomain.com
Referer	: http://subdomain.basedomain.com/?gId=12&nId=1&iId=1&sid=1428930190670&lng=de&key=374364a90dd9721
e0fbfdebc39ce562bbc2bfb83749b57fa
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0

Response headers from the first request:

Access-Control-Allow-Origin	: *
Connection	: keep-alive
Content-Length	: 1
Content-Type	: text/html
Date	: Mon, 13 Apr 2015 13:03:50 GMT
Server	: nginx
X-Powered-By	 : PHP/5.3.3


Actual results:

First request succeeds and returns the response but the second one fails with error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <URL>. This can be fixed by moving the resource to the same domain or enabling CORS.


Expected results:

The second request should also behaved like the first one and returned the response because only difference between both the requests is the payload.

Comment 1

[Josh Matthews [:jdm]]

Any chance this is still reproducible? Do you have a testcase?

Comment 2

[Justin [:JW_SoftvisionQA]]

Closing this issue due to lack of response from reporter.