817962 - Cross Origin XMLHttpRequest can not expose "Location" header even if it is indicated in Access-Control-Expose-Headers

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P2)

Description

[florin.botis]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.238 Safari/535.1

Steps to reproduce:

The following bug was found on Windows XP, Firefox 17.01

Scenario:

1. Make a XHR request to a CORS URL.
2. In the CORS preflight response (and all other server responses) the server includes next header

   Access-Control-Expose-Headers: Location

3. Make the actual CORS call
4. Server responds with HTTP status 201 and includes "Location" header in its response. The "Location" header can be seen using a HTTP packets sniffer.
5. jQuery's xhr.getResponseHeader("Location") returns null even if the Location header is present in the response and it is included in "Access-Control-Expose-Headers"




Actual results:

jQuery's xhr.getResponseHeader("Location") returns null even if the Location header is present in the response and it is included in "Access-Control-Expose-Headers"


Expected results:

jQuery's xhr.getResponseHeader("Location") should return the "Location" header

Comment 1

[Tom S [:evilpie]]

This isn't a bug in JS engine.

Comment 2

[Ioana (away)]

florin, can you please attach a minimized testcase to this bug report?

Comment 3

[Josh Matthews [:jdm]]

http://hg.mozilla.org/mozilla-central/file/9acb9a9eaeb3/content/base/src/nsXMLHttpRequest.cpp#l1424 doesn't show me any smoking gun here. It would be good to make sure that a regular XMLHttpRequest object demonstrates the same problem without any jQuery in the way.

Comment 4

[florin.botis]

Yup,

Seems to be a jQuery bug. I've just tested it using plain XMLHttpRequest and things look better ;)

I'll report a bug to jQuery.

Thanks

Comment 5

[florin.botis]

A little update:

xhr.getResponseHeader("Location") works as expected

BUT

xhr.getAllResponseHeaders() returns no headers.

I think jQuery uses getAllResponseHeaders() method, that would explain $.ajax behavior described above.

There's already a bug logged for the getAllResponseHeaders() issue: https://bugzilla.mozilla.org/show_bug.cgi?id=608735

Comment 6

[florin.botis]

Do you have in plan to fix https://bugzilla.mozilla.org/show_bug.cgi?id=608735 in the near future?

BTW, the jQuery bug is: http://bugs.jquery.com/ticket/10338

Comment 7

[florin.botis]

Attachment: HTML file used for reproducing the issue

I deployed a simple app on Heroku in order to help you reproduce the problem (http://vast-retreat-1055.herokuapp.com).

The app response to a HTTP GET response is:

HTTP Status 200
Headers:

   Content-Type:text/html
   Access-Control-Allow-Origin:*
   Access-Control-Expose-Headers:Location,Content-Length,Accept-Ranges
   Location:LocationHeaderValue
   Accept-Ranges:Accept-RangesHeaderValue

In order to reproduce the bug open the attached corsBug.html in Safari 5.1.7, press "getLocationHeaderCORSCall()" button. 2 alerts will pop up :

1.The value returned by xhr.getResponseHeader("Location")
2.The value returned by xhr.getAllResponseHeaders()

You can check the server response using a Web Console.

Comment 8

[Josh Matthews [:jdm]]

Thanks for the testcase. Bug 608735 is fairly low priority compared to my other work at this point, but if you have any C++ experience I would be happy to guide you through fixing it.

Comment 9

[Boris Zbarsky [:bzbarsky]]

Presumably fixed by bug 608735.