1281846 - CORS not allowed for location.services.mozilla.com/v1/country

Status: RESOLVED DUPLICATE of bug 1255488

(Cloud Services :: Server: Location, defect)

Description

[alex_mayorga]

¡Hola!

Spotted this on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 ID:20160623030210 CSet: c9edfe35619f69f7785776ebd19a3140684024dc "Browser Console":

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://location.services.mozilla.com/v1/country?key=fa6d7fc9-e091-4be1-b6c1-5ada5815ae9d. (Reason: missing token ‘x-csrftoken’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).

Dropping this bug here in case it is actually actionable.

¡Gracias!
Alex

Comment 1

[Hanno Schlichting]

(In reply to alex_mayorga from comment #0)
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at
> https://location.services.mozilla.com/v1/country?key=...
> (Reason: missing token ‘x-csrftoken’ in CORS header
> ‘Access-Control-Allow-Headers’ from CORS preflight channel).

Can you reproduce this following certain steps? Was this triggered just after startup or on a particular web site?

Comment 2

[Hanno Schlichting]

Based on the API key, this is probably a problem with kitsune/SUMO. The non-standard x-csrftoken header also shows up in their codebase, for example in a general AJAX setup function at https://github.com/mozilla/kitsune/blob/a8ed6f598293be6d7286cae2bf8ae3f4d9ea7d8b/kitsune/sumo/static/sumo/js/main.js#L125

My guess is that they broadly apply and add this header to all AJAX calls, even though it should only be added for calls to their own service and not external services like the Mozilla Location Service.

Comment 3

[alex_mayorga]

¡Hola Hanno!

You're right!

Loading https://support.mozilla.org/ causes this to appear.

¡Gracias!
Alex