New issue
Advanced search Search tips

Issue 637054 link

Starred by 8 users
Status: WontFix
Owner: ----
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

in v52, preflight call (OPTIONS) for DELETE http request got 403

Reported by lwcf1...@gmail.com, Aug 11 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce the problem:
1. 
2. 
3. 

What is the expected behavior?

What went wrong?
in v52, Access-Control-Request-Headers: was set to empty string in pre-flight call (OPTIONS) for DELETE request in our web application.
this issue only happening in V52, but not in the previous version.
Also DELETE with preflight call is working in FF/IE/Safari.
A strong suspect is that Access-Control-Request-Headers: was set to empty string in V52, by comparing the headers (Access-Control-Request-Headers: accept) in V51.
Any quick help is much appreciated.

Did this work before? Yes it works in Version 51.0.2704.103 (64-bit)

Chrome version: 52.0.2743.116  Channel: stable
OS Version: OS X 10.11.4
Flash Version: Shockwave Flash 22.0 r0

Comment 1 by lwcf1...@gmail.com, Aug 11 2016 

this happens in angularjs web application.

Comment 2 by och...@chromium.org, Aug 12 2016

Components: Internals>Network
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 3 by lwcf1...@gmail.com, Aug 12 2016 

To re-iterate, in v52, preflight call (OPTIONS) for DELETE http request got 403. The suspect is the Access-Control-Request-Headers which was set to empty string in the preflight call. Whereas in V51, Access-Control-Request-Headers was set to accept.
There is no code changes in our application in production, but all delete calls are failing in Chrome v52.

Comment 4 by pauljensen@chromium.org, Aug 12 2016

Components: -Internals>Network Blink>Loader
Labels: Needs-Feedback
Access-Control-Request-Headers is added in Blink fetch code:
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp?l=108&cl=GROK
Adjusting component accordingly.

I imagine a URL that demonstrates this problem would help.
Alternatively, a net-internals log demonstrating this working in M51 and not working in M52 would help:
http://dev.chromium.org/for-testers/providing-network-details

Comment 5 by pauljensen@chromium.org, Aug 15 2016 

 Issue 637614  has been merged into this issue.

Comment 6 by christop...@gmail.com, Aug 30 2016 

We are seeing the same issue. With Chromium v51, preflight OPTIONS requests for POST and DELETE requests work without issue. With Chrome v52 these same requests fail. The curl command from Developer Tools demonstrates that the correct headers are being returned.

See attached net-internals logs, one for Chromium v51 (success) and one for Chrome v52 (fail).
net-internals-log-Succeed-Chromium-v51.json
2.6 MB View Download
net-internals-log-FAIL-Chrome-v52.json
2.2 MB View Download

Comment 7 by kouhei@chromium.org, May 8 2017

Labels: -Needs-Feedback
Status: WontFix (was: Unconfirmed)
Couldn't repro in Canary 60.0.3093.0.

Sign in to add a comment