Closed Bug 1198321 Opened 5 years ago Closed 4 years ago

CORS header 'Access-Control-Allow-Origin' does not match '*'

Categories

(Core :: DOM: Security, defect)

40 Branch
Unspecified
macOS
defect
Not set

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: jason.lunn, Unassigned)

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36

Steps to reproduce:

Navigate to http://embed.jungroup.com/embedded_videos/catalog_frame?uid=poidhiu&distributorid=1&offer=vast_video-7e53c40e4aaa34d76b250df1ac9c2e2f


Actual results:

Received an error message in the console when a resource was retrieved from a remote server:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=14569042&PluID=0&pos=837&ord=[timestamp]&cim=1. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*').


Expected results:

'*' is supposed to match all values, so the request should have been allowed.
For reference, Mozilla's documentation confirms my interpretation of '*' as a valid value for this header:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Also, this behavior is a regression from FireFox 39.
OS: Unspecified → Mac OS X
Severity: normal → blocker
Build ID 20151125030231
User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0

Hi, 
I tested this on Firefox Nightly 45.0a1 and I couldn't reproduce the issue. I navigate to: http://embed.jungroup.com/embedded_videos/catalog_frame?uid=poidhiu&distributorid=1&offer=vast_video-7e53c40e4aaa34d76b250df1ac9c2e2f and in console I didn't receive any error.

If you think I missed something please add some steps that can help me reproduce this.

Please download the Firefox Nightly from here: https://nightly.mozilla.org/ and retest the problem.

Thank you.
Flags: needinfo?(jason.lunn)
ovidiu,

Please retest the issue using the version cited in the original ticket. I concur that the problem is no longer manifesting on the latest build, but it was 100% reproducible on the first release of version 40.

Thanks,

 - Jason
Flags: needinfo?(jason.lunn)
Hi Jason,

Regarding the issue, if the problem can't be reproduced on latest version it means that the problem is resolved. I retested on the latest version, and the issue can't be reproduced.
Severity: blocker → normal
Component: Untriaged → DOM: Security
Product: Firefox → Core
I would make sure that there is a regression test in place to address this issue by isolating the commit where this broke and where it was fixed before resolving this ticket.
(In reply to jason.lunn from comment #5)
> I would make sure that there is a regression test in place to address this
> issue by isolating the commit where this broke and where it was fixed before
> resolving this ticket.

Ok. One step at a time. Kamil, Matt can you make sure that the problem is fixed by re-testing?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Whiteboard: [domsecurity-backlog]
IMHO, the testcase doesn't work anymore because the video embedded in the page has been removed. Bug should be closed as incomplete.
(In reply to Loic from comment #7)
> IMHO, the testcase doesn't work anymore because the video embedded in the
> page has been removed. Bug should be closed as incomplete.

Thanks Loic for the update. I agree, let's mark it as incomplete.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.