Open Bug 1521953 Opened 6 years ago Updated 11 months ago

Firefox stripping CORS headers from cached requests

Categories

(Core :: Networking: Cache, defect, P2)

Product:
Core
Component:
Networking: Cache
Version:
64 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: tapitman11, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

Request a file which requires CORS headers. Request the same file again.

Actual results:

The first request works. The second request fails if the file is served from the cache, because the CORS headers are missing.

Expected results:

I would expect either a) the file is served properly from the cache with all the headers included with the original request or b) the entire request is redone, for example if Access-Control-Max-Age has expired.

Component: Untriaged → Networking: Cache
Product: Firefox → Core

Hi reporter,

Do you know if therer is a public url that we can use to reproduce this issue?

Thanks.

Flags: needinfo?(tapitman11)

The priority flag is not set for this bug.
:selenamarie, could you have a look please?

Flags: needinfo?(sdeckelmann)

Sorry, I lost track of this. I will see if I can find a suitable example.

Flags: needinfo?(tapitman11)

I'm on triage this week, will look soon.

Flags: needinfo?(sdeckelmann)

The priority flag is not set for this bug.
:selenamarie, could you have a look please?

Flags: needinfo?(sdeckelmann)
Flags: needinfo?(sdeckelmann)
Priority: -- → P2
Whiteboard: [necko-triaged]

Hi! Have you been able to find an example of this bug? Thank you!

Flags: needinfo?(tapitman11)

Steps to reproduce

  1. Create a simple API that returns value from the querystring 'name' field.
  2. Configure API CORS to allow requests from 'http://Domain1.WebsiteHost1' and 'http://Domain2.WebsiteHost1'.
  3. Configure API to include 'cache-control' response header.
  4. Deploy API to 'http://ApiHost/api'.
  5. Create a simple web page that submits an XHR request to the API, eg when a user clicks a button.
  6. Deploy web page to 'http://Domain1.WebsiteHost1' and 'http://Domain2.WebsiteHost1'.
  7. Open http://Domain1.WebsiteHost1 and http://Domain2.WebsiteHost1 in different browser tabs.
  8. Trigger XHR request in 1st tab.
  9. Trigger XHR request in 2nd tab.

Expected result

At step 8, in http://Domain1.WebsiteHost1 tab, XHR request completes successfully and JavaScript can access response from the API.
At step 9, in http://Domain2.WebsiteHost1 tab, XHR request completes successfully and JavaScript can access response from the API.

Actual result

At step 8, in http://Domain1.WebsiteHost1 tab, XHR request completes successfully and JavaScript can access response from the API.
At step 9, in http://Domain2.WebsiteHost1 tab, XHR request response is retrieved from cache. Console displays CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://ApiHost/api/HttpTrigger1?name=World
(Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://Domain1.WebsiteHost1')

Actual example

Web pages

Each domain contains only a home page. Home pages are identical.

API end-point

End-point reads 'name' querystring field and responds with "Hello, {name}". For example, GET https://mozcorscachetestfunc.azurewebsites.net/api/HttpTrigger1?name=World will return Hello, World.
HTTP response includes the cache-control=public, max-age=600 header.

Browser version:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Redirect a needinfo that is pending on an inactive user to the triage owner.
:dragana, since the bug has high priority, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tapitman11) → needinfo?(dd.mozilla)
Flags: needinfo?(dd.mozilla)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.