New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 781733 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Dec 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Access-Control-Allow-Origin wildcard + include credentials CORS error only when dev tools is open

Reported by d...@danbovey.uk, Nov 6 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36

Steps to reproduce the problem:
1. Open Dev Tools
2. Load page that makes a request to server with different origin where 'Access-Control-Allow-Origin' is a wildcard. In my case, webpack-dev-server where allowed origin is '*'.

1. Load page that makes requests at later times/intervals to server with different origin where 'Access-Control-Allow-Origin' is a wildcard.
2. Open Dev Tools

What is the expected behavior?
No CORS network errors because Origin is allowed.

What went wrong?
Failed to load http://localhost:3000/sockjs-node/info?t=1509963220503: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

It only happens when the dev tools are open.

Did this work before? Yes 

Chrome version: 62.0.3202.75  Channel: stable
OS Version: OS X 10.12.6
Flash Version:
 

Comment 1 by d...@danbovey.uk, Nov 6 2017

The dev tools being open only seems to affect my webpack-dev-server setup, here's an example that doesn't depend on it being open to show the error: https://codepen.io/danbovey/pen/BmzJom.

So I'm guessing it's not a bug, it's a security feature to stop credentials being shared cross-origin.
Labels: Needs-Triage-M62 Needs-Bisect

Comment 3 by kozy@chromium.org, Nov 6 2017

Owner: allada@chromium.org
Status: Assigned (was: Unconfirmed)
Labels: -Needs-Bisect -Type-Bug-Regression M-64 OS-Linux OS-Windows Type-Bug
Status: Untriaged (was: Assigned)
Able to reproduce the issue on Windows 7, Mac 10.12.6 & Ubuntu 14.04 using chrome reported version-62.0.3202.75 & latest stable-62.0.3202.89 as per C#0 & C#1.

Steps:
------
1. Launched chrome
2. Add 'Access-Control-Allow-Origin' extension from webstore
3. Navigate to https://codepen.io/danbovey/pen/BmzJom
4. Open dev tools
5. Click on 'Make Request' button
6. Observed 'XMLHttpRequest cannot load https://api.github.com/. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'https://s.codepen.io' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.' error in devtools-> console

Observed the same behavior from M50 builds.As it is a non regression issue marking it an Untriaged.

allada@,Could you please take a look into this issue.

Please find the attached screencast for reference.

Thanks..!
 
781733.mp4
2.1 MB View Download

Comment 5 by d...@danbovey.uk, Nov 14 2017

The Webpack issue I described seems to have gone away for now. The only difference is my Chrome version, which is now 62.0.3202.89.
Status: WontFix (was: Untriaged)
As per comment #5

Sign in to add a comment