Closed Bug 1272302 Opened 8 years ago Closed 4 years ago

navigator.sendBeacon doesn't set Origin header for same-origin request

Categories

(Core :: DOM: Networking, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1424076

People

(Reporter: xiaoyin.l, Assigned: CuveeHsu)

References

(Blocks 1 open bug)

Details

(Whiteboard: btpp-backlog [necko-triaged])

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160511030221

Steps to reproduce:

1. Navigate to https://en.wikipedia.org/ with Firefox
2. Open Console in the Developer Tools
3. Type in the console: navigator.sendBeacon("abc","abc")
4. Switch to Network tab, click the POST request to "abc", you can see that Origin header is not set in the request.
5. Repeat steps 1-4 on Chrome and Edge on Windows 10 Preview Build 14342


Actual results:

In Firefox, Origin header is not set for same domain beacon request. Tested on Nightly 49.0a1


Expected results:

According to the spec (https://w3c.github.io/beacon/#sec-processing-model), sendBeacon should always set the Origin header regardless of whether it is same domain or cross domain.

Microsoft Edge on Build 14342 and Chrome always send Origin header, which is the correct behavior.
Component: Untriaged → DOM
Product: Firefox → Core
Version: 49 Branch → unspecified
I don't see where the spec says to add the Origin header.  Step 2 there is just setting the origin in a local variable.  I'm on my mobile, though, so maybe I'm missing it.  Can you point to the step you are looking at?
Flags: needinfo?(xiaoyin.l)
(In reply to Ben Kelly [:bkelly] from comment #1)
> I don't see where the spec says to add the Origin header.  Step 2 there is
> just setting the origin in a local variable.  I'm on my mobile, though, so
> maybe I'm missing it.  Can you point to the step you are looking at?

In Step 9, "Let req be a new request, initialized as follows". The "origin" is listed in the request. Also in Step 9, the mode is set to "CORS", which indicates Origin header should always be set.
NI myself to look on Monday.
Flags: needinfo?(bkelly)
We only send the Origin header for cross-origin CORS requests.  This is a same-origin CORS request.

The spec is in a bit of disarray regarding Origin header.  See these open spec issue:

https://github.com/whatwg/xhr/issues/31
https://github.com/whatwg/fetch/issues/225

I don't expect our behavior to change any time soon.  We need to reach some kind of agreement between browsers.
Flags: needinfo?(xiaoyin.l)
Flags: needinfo?(bkelly)
Whiteboard: btpp-backlog
I think this is basically a duplicate of bug 446344, but let's leave it separate for now.
Depends on: 446344
Priority: -- → P3
Depends on: 1424076
Component: DOM → DOM: Core & HTML
Component: DOM: Core & HTML → DOM: Networking

Anne, can you confirm what is the right behavior here?

Flags: needinfo?(annevk)

See https://github.com/whatwg/fetch/issues/871. Maybe Junior can look into this when he's back as he worked on clarifying the Origin header before.

Flags: needinfo?(annevk)

Assigning to Junior since he disabled NI while he's out :-)

Assignee: nobody → juhsu
Whiteboard: btpp-backlog → btpp-backlog [necko-triaged]

I did a quick experiment and I believe bug 1424076 handles this.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.