Wrong cached CORS response used on history navigation
Reported by
hieronym...@gmail.com,
Jan 19 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. Open http://subdomain1.example.com which fetches a CORS request from api.example.com (which returns a response with header "Access-Control-Allow-Origin: http://subdomain1.example.com") 2. Go to http://subdomain2.example.com which also fetches the same URI with CORS from api.example.com (but now of course gets the header "Access-Control-Allow-Origin: http://subdomain2.example.com") 3. Click the back button in the browser What is the expected behavior? Page from step 1, http://subdomain.example.com, should display correctly. What went wrong? Page from step 1 seems to re-use the cached response from page 2. The CORS request fails loading with this error: "XMLHttpRequest cannot load http://api.example.com. The 'Access-Control-Allow-Origin' header has a value 'http://subdomain2.example.com' that is not equal to the supplied origin. Origin 'http://subdomain1.example.com' is therefore not allowed access." Did this work before? No Does this work in other browsers? Yes Chrome version: 55.0.2883.87 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 24.0 r0 Here is a live testcase switching between "rawgit.com" and "cdn.rawgit.com": http://rawgit.com/superlupo12/1a9e257419afe7c138f3df053de3a550/raw/5ea69bb640b32a3678614d92e2bc4d70d8b948ac/chrome-history-broken-vary.html The CORS response also has the necessary "Vary: Origin" header which should prevent mixing up cached responses for the same URI. Works in current Firefox, Safari, MS Edge and IE 11.
,
Jan 19 2017
Does not happen everytime, sometimes have to navigate via forward/back buttons several times.
,
Jan 19 2017
,
Jan 20 2017
tyoshino@ for CORS expertise
,
Jan 20 2017
Reproduces on 55.0.2883.87 but not on ToT. Fixed recently?
,
Jan 20 2017
r432502 has disabled the memory cache for XHR. It has fixed this issue. The fix is included in M56, the next stable release. Please try the beta, dev or canary to verify.
,
Jan 20 2017
yhirano, do you think there's any other place the issue may occur?
,
Jan 20 2017
I can confirm that it works in Beta 56 and Canary. Thank you! |
|||
►
Sign in to add a comment |
|||
Comment 1 by hieronym...@gmail.com
, Jan 19 2017