Headers being Stripped from CORS response.
Reported by
ibigp...@gmail.com,
May 3 2017
|
||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.29 Safari/537.36
Steps to reproduce the problem:
1. Created a simple test web server using flask and python3.6:
```python
from flask import Flask, make_response
app = Flask(__name__)
@app.route('/header', methods=['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'])
def header():
resp = make_response('', 200)
resp.headers['Access-Control-Allow-Headers'] = 'content-type, token'
resp.headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS, PUT, PATCH, DELETE'
resp.headers['Access-Control-Allow-Origin'] = '*'
resp.headers['Content-Type'] = 'text/plain; charset=utf-8'
resp.headers['Token'] = 'yes'
return resp
@app.route('/noheader', methods=['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'])
def noheaders():
resp = make_response('', 200)
resp.headers['Access-Control-Allow-Headers'] = 'content-type'
resp.headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS, PUT, PATCH, DELETE'
resp.headers['Access-Control-Allow-Origin'] = '*'
resp.headers['Content-Type'] = 'text/plain; charset=utf-8'
resp.headers['Token'] = 'yes'
return resp
app.run('127.0.0.1', port=3333)
```
2. Open chrome and access a web page that is NOT the 127.0.0.1:3333 address.
3. Open Developer tools
4. Switch to console
5. Enter the following in console
```js
let headers = {
Accept: 'text/plain; charset=utf-8',
'Content-Type': 'text/plain; charset=utf-8',
};
let endpoints = ['header','noheader'];
['get','post'].map(function(method) {
let rtn = [];
let settings = { method, headers };
for (let i = 0; i < endpoints.length; i += 1) {
let settings = { method, headers };
rtn.push(fetch('http://127.0.0.1:3333/' + endpoints[i], settings ).then(function(response) {
return {method:method, endpoint:endpoints[i], resp_ok: response.ok, resp_content_type: response.headers.get('content-type'), resp_token_lower: response.headers.get('token'), resp_token_cap: response.headers.get('token')};
}));
};
return rtn;
});
```
6. Inspecting the output of the nested array. You'll find all resp_token_cap & resp_token_lower show null. This only happens when cors is in effect.
[
[
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "header",
method: "get",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: null,
resp_token_lower: null
}
},
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "noheader",
method: "get",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: null,
resp_token_lower: null
}
}
],
[
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "header",
method: "post",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: null,
resp_token_lower: null
}
},
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "noheader",
method: "post",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: null,
resp_token_lower: null
}
}
]
]
What is the expected behavior?
Pass all headers to fetch response object, Like Firefox 45.7.0 does.
[
[
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "header",
method: "get",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: 'yes',
resp_token_lower: 'yes'
}
},
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "noheader",
method: "get",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: 'yes',
resp_token_lower: 'yes'
}
}
],
[
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "header",
method: "post",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: 'yes',
resp_token_lower: 'yes'
}
},
Promise: {
[[PromiseStatus]]: "resolved",
[[PromiseValue]]: {
endpoint: "noheader",
method: "post",
resp_content_type: "text/plain; charset=utf-8",
resp_ok: true,
resp_token_cap: 'yes',
resp_token_lower: 'yes'
}
}
]
]
What went wrong?
For some reason when CORS is involved in a FETCH request it strips headers.
Did this work before? N/A
Chrome version: 59.0.3071.29 Channel: beta
OS Version: 10.0
Flash Version:
,
May 4 2017
I found the issue. https://fetch.spec.whatwg.org/#http-access-control-expose-headers This issue can be closed. it's due to the fact the Access-Control-Expose-Headers was not set. updated my tests to include this field by replacing previous header route and function with this. Now request to header include the token header. ```python @app.route('/header', methods=['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']) def header(): resp = make_response('', 200) resp.headers['Access-Control-Allow-Headers'] = 'content-type, token' resp.headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS, PUT, PATCH, DELETE' resp.headers['Access-Control-Allow-Origin'] = '*' resp.headers['Access-Control-Expose-Headers'] = 'Token' resp.headers['Content-Type'] = 'text/plain; charset=utf-8' resp.headers['Token'] = 'yes' return resp ```
,
May 4 2017
Closing the issue as per # 2. Please file a new issue if you come across this issue again. |
||
►
Sign in to add a comment |
||
Comment 1 by brajkumar@chromium.org
, May 4 2017