Closed Bug 1557386 Opened 1 year ago Closed 2 months ago

Beacon should not be restricted by CORS


(Core :: DOM: Security, defect, P3)




Tracking Status
firefox78 --- fixed


(Reporter: ckerschb, Assigned: jkt)


(Whiteboard: [domsecurity-backlog2])


(3 files)

It seems our implementation of Beacon still applies CORS to Beacon even though the spec says otherwise [1].

We should fix that.


Well, we should use CORS, but it should depend on the Content-Type header. Thomas recently cleaned up that check elsewhere if I remember correctly so might be an easy fix for him.

Flags: needinfo?(twisniewski)
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]

For the record, I have a work-in-progress patch that needs a web platform test, and I'll try to get that across the finish line ASAP (I'll attach the WIP patch soon at least, if I can't get to adding a WPT myself soon).

I'm seeing the following CORB errors which seen related to treating these requests as CORS:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS request did not succeed).

Using the following code via the console on

window.addEventListener("beforeunload", () => {
  navigator.sendBeacon("", new Blob(["test"], {type: "application/x-www-form-urlencoded"}));

My understanding of the spec is this shouldn't be treated as CORS/CORB; this isn't the behaviour of Chrome.

Cross-Origin Request Blocked != CORB as proposed by Google (CORB is also not something Firefox implements). The problem is in comment 1.

Haha should have checked searchfox, I've forgotten everything already :'). Thanks Anne!

:twisniewski - did you still have the WIP patch, I'm happy to review or finish it?

Interestingly I am getting a real CORB warning when the request is text (I'm assuming this could be discarded as beacon is never readable):

Cross-Origin Read Blocking (CORB) blocked cross-origin response with MIME type text/html. See for more details.


window.addEventListener("beforeunload", () => {
  navigator.sendBeacon("", "test");

Sure, though I don't know if it applies cleanly or is correct anymore, this was the patch.

Flags: needinfo?(twisniewski)
Assignee: nobody → jonathan

So I tested the patch which applied manually fairly cleanly (Thomas really should get the mercurial credit here imo).

There is already WPT tests under: testing/web-platform/tests/beacon/beacon-cors.sub.window.js

These tests currently pass, which means that the beacon requests have always been sent correctly just the response returns into a console error. A mochitest perhaps could be written for checking the console message but as I understand it wpt couldn't cover that. (currently looking into if this is a simple thing to test for)

Severity: normal → S2
Pushed by
Pass correct CORS flags for Beacon requests r=ckerschb
Pushed by
Testing CORS content and errors for beacon. r=ckerschb

Backed out changeset 68aec891cd2e (bug 1557386) for test_beaconFrame.html failures

Push with failures:

Backout link:

Failure log:

[task 2020-05-21T17:48:58.863Z] 17:48:58     INFO - TEST-START | dom/tests/mochitest/beacon/test_beaconFrame.html
[task 2020-05-21T17:48:59.206Z] 17:48:59     INFO -  *** error running SJS at /builds/worker/workspace/build/tests/mochitest/tests/dom/tests/mochitest/beacon/beacon-handler.sjs: [Exception... "Component is not available"  nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)"  location: "JS frame :: /builds/worker/workspace/build/tests/bin/components/httpd.js :: getHeaderValues :: line 5189"  data: no] on line 2325
[task 2020-05-21T17:48:59.223Z] 17:48:59     INFO - TEST-INFO | started process screentopng
[task 2020-05-21T17:48:59.655Z] 17:48:59     INFO - TEST-INFO | screentopng: exit 0
[task 2020-05-21T17:48:59.655Z] 17:48:59     INFO - Buffered messages logged at 17:48:59
[task 2020-05-21T17:48:59.655Z] 17:48:59     INFO - TEST-PASS | dom/tests/mochitest/beacon/test_beaconFrame.html | Beacon was not sent 
[task 2020-05-21T17:48:59.657Z] 17:48:59     INFO - Buffered messages finished
[task 2020-05-21T17:48:59.659Z] 17:48:59     INFO - TEST-UNEXPECTED-FAIL | dom/tests/mochitest/beacon/test_beaconFrame.html | uncaught exception - SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data at beaconSent/<@http://mochi.test:8888/tests/dom/tests/mochitest/beacon/test_beaconFrame.html:63:27
[task 2020-05-21T17:48:59.660Z] 17:48:59     INFO - getBeaconServerStatus/request.onload@http://mochi.test:8888/tests/dom/tests/mochitest/beacon/test_beaconFrame.html:30:21
[task 2020-05-21T17:48:59.660Z] 17:48:59     INFO - EventHandlerNonNull*getBeaconServerStatus@http://mochi.test:8888/tests/dom/tests/mochitest/beacon/test_beaconFrame.html:28:5
[task 2020-05-21T17:48:59.661Z] 17:48:59     INFO - beaconSent@http://mochi.test:8888/tests/dom/tests/mochitest/beacon/test_beaconFrame.html:61:26
[task 2020-05-21T17:48:59.661Z] 17:48:59     INFO - sendBeacon@http://mochi.test:8888/tests/dom/tests/mochitest/beacon/beacon-frame.html:16:19
[task 2020-05-21T17:48:59.662Z] 17:48:59     INFO - setTimeout handler*SimpleTest_setTimeoutShim@http://mochi.test:8888/tests/SimpleTest/SimpleTest.js:788:41
[task 2020-05-21T17:48:59.662Z] 17:48:59     INFO - @http://mochi.test:8888/tests/dom/tests/mochitest/beacon/beacon-frame.html:19:56
[task 2020-05-21T17:48:59.662Z] 17:48:59     INFO - EventListener.handleEvent*@http://mochi.test:8888/tests/dom/tests/mochitest/beacon/beacon-frame.html:19:8
[task 2020-05-21T17:48:59.662Z] 17:48:59     INFO - 
[task 2020-05-21T17:48:59.663Z] 17:48:59     INFO -     simpletestOnerror@SimpleTest/SimpleTest.js:1950:18
[task 2020-05-21T17:48:59.663Z] 17:48:59     INFO -     OnErrorEventHandlerNonNull*@SimpleTest/SimpleTest.js:1925:1
[task 2020-05-21T17:48:59.664Z] 17:48:59     INFO - GECKO(3580) | JavaScript error: http://mochi.test:8888/tests/dom/tests/mochitest/beacon/test_beaconFrame.html, line 63: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
[task 2020-05-21T17:48:59.664Z] 17:48:59     INFO - GECKO(3580) | MEMORY STAT | vsize 2553MB | residentFast 145MB | heapAllocated 12MB
[task 2020-05-21T17:48:59.664Z] 17:48:59     INFO - TEST-OK | dom/tests/mochitest/beacon/test_beaconFrame.html | took 631ms
Flags: needinfo?(jonathan)
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Attachment #9149874 - Attachment description: Bug 1557386 - Testing CORS content and errors for beacon. r?ckerschb → Bug 1557386 - Testing CORS content and errors for beacon. r=ckerschb

Removing ni, flagged the changed test for checkin.

Flags: needinfo?(jonathan)
Pushed by
Testing CORS content and errors for beacon. r=ckerschb
You need to log in before you can comment on or make changes to this bug.