Open Bug 1412828 Opened 7 years ago Updated 2 years ago

Simple cross-origin request via fetch API fails on 307 redirect

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
56 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: firefox, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38 Steps to reproduce: Use fetch API to GET resource, which is redirected (with a 307). Actual results: Fetch throws a network error (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://example.com’). The network panel shows two network requests, the first has a 307 response and the second 200. The reason given is wrong, as the headers clearly show a correct Access-Control-Allow-Origin header in both responses. However, the 'origin' header is spelled with lower-case 'o' in the first request and upper-case 'O' in the second. Expected results: The fetch request should have resolved without error.
Component: Untriaged → DOM
Product: Firefox → Core
We need more a test case here. Exactly what code is being executed on what site? A reproduceable case in glitch.com or something like it would be best.
Hello Ben, thanks for reporting this. Would you please provide a simple test case and more information per comment 1? It helps a lot to make this issue more actionable.
Flags: needinfo?(firefox)
Priority: -- → P3
Hi, here's some more info and a test case, sorry for the delay. I've narrowed the issue down, the error occurs under the following conditions: 1. cross-site fetch request 2. request returns with a redirect (307, 303, or 302, probably all 3xx) 3. the redirect target location's domain differs from the original request domain 3. the 'access-control-allow-origin' header is set to the correct origin, _not_ to '*' This results in the following error: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://example.net/. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://example.com’). Steps to reproduce: 1. install plugin to manipulate response headers (https://addons.mozilla.org/de/firefox/addon/moz-rewrite-js/)(or configure a webserver to do the same) 2. use the following rule set for responses.js: [ { "url" : /^https:\/\/httpstat.us/, "headers" : { "access-control-allow-origin" : "https://example.com", // "location" : "https://httpstat.us" "location" : "https://example.net" } }, { "url" : /^https:\/\/example.net/, "headers" : { // "access-control-allow-origin" : "*", "access-control-allow-origin" : "https://example.com", } } ] 3. open https://example.com in firefox 4. run the following in the console: fetch('https://httpstat.us/307').then((response) => { console.log(response.status) }); Some remarks: 1. If 'access-control-allow-origin' is set to '*' for the final response, all works as expected 2. There is a second bug in the error message (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://example.com’). The domain given is actually what is specified in the 'access-control-allow-origin' header, not what the actual origin is. You can see this by changing the 'access-control-allow-origin' header in the second rule to, e.g., 'https://foo.com': (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://foo.com’). This should read something like 'Reason: CORS header ‘Access-Control-Allow-Origin’ is set to ‘https://foo.com’, which does not match ‘https://example.com’'
Flags: needinfo?(firefox)
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.