New issue
Advanced search Search tips

Issue 607561 link

Starred by 2 users
Status: Archived
Owner: ----
Closed: Jun 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment

Android WebView isn't setting origin header for CORS GET request with Fetch API

Reported by mike.hay...@gmail.com, Apr 28 2016 
Example URL:

Steps to reproduce the problem:
1. Deploy app using WebView
2. Make CORS GET request using Fetch API
3. Monitor the request on server side or via Chrome developer tools

What is the expected behavior?
An "Origin" header should be set on the request to indicate a CORS request is being made.

What went wrong?
No "Origin" header is set. As such, the server side doesn't treat this as a CORS request and response headers such as "access-control-expose-headers" are not set to allow access to headers.

Did this work before? N/A 

Chrome version: 50.0.2661.86  Channel: stable
OS Version: 49.0.2623.105
Flash Version: 

Strangely, making a POST request using Fetch results in the "Origin" header being set correctly.

Requests via standard XHR also have the "Origin" header set correctly (although XHR uses "file://" as the origin where as Fetch uses "null", either indicate to the server a CORS request is being attempted).
GET.jpg
83.7 KB View Download
POST.jpg
107 KB View Download

Comment 1 by jkarlin@chromium.org, Apr 29 2016

Components: -Internals>Network Blink>Network>FetchAPI

Comment 2 by yhirano@chromium.org, May 2 2016 

Interesting. What is the result string when you evaluate "document.origin" in the WebView?

Comment 3 by tyoshino@chromium.org, May 2 2016 

Is the request same origin? Even when the mode is set to "cors", Chrome doesn't send the origin header when the request is same-origin and the method is either GET or HEAD.

Did you check XHR with the same configuration but just changing the API from Fetch API to XHR?

Comment 4 by rsgav...@chromium.org, May 6 2016

Components: Mobile>WebView

Comment 5 by torne@chromium.org, May 9 2016

Labels: Needs-Feedback
Tested on webview 49.0.2623.105 as shown in the screenshot and also the latest 51 and the origin header is sent correctly if I do fetch('http://www.google.com/') from a random JSbin page.

If your request is actually cross-origin (as mentioned in comment 3), then you'll have to include more information on how to reproduce this, since it seems to work fine in a simple test.
Project Member

Comment 6 by sheriffbot@chromium.org, Jun 9 2016

Status: Archived (was: Unconfirmed)
No feedback was received in the last 30 days from reporter "mike.hayes10@gmail.com", so archiving this. Please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment