New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 785019 link

Starred by 3 users
Status: WontFix
Owner:
tyoshino@chromium.org
Leaves the project on 2018/03/02
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Access-Control-Allow-Origin is cached incorrectly

Reported by zouji...@gmail.com, Nov 14 2017 
Chrome Version       : 60+
URL : any
Behavior in Safari 4.x/5.x: Didn't test
Behavior in Firefox 3.x/4.x: Didn't test

What steps will reproduce the problem?
(1) you need three websites/origins which all have different hostname. say:
   a) https://testjs.com hosting a javascript file: https://testjs.com/third-party.js, response of the url will have specific origin for header: Access-Control-Allow-Origin. this site allow browser cache.
   b) https://testweb.com hosting a page which will load https://testjs.com/third-party.js, like "<script type="text/javascript" src="https://testjs.com/third-party.js"></script>
   c) http://testweb2.com also hosting a page which will load https://testjs.com/third-party.js, like "<script type="text/javascript" src="https://testjs.com/third-party.js"></script>
(2) open the page from b), which is from "https://testweb.com", after this step, https://testjs.com/third-party.js should have been cached in Chrome.
(3) open the page from c), which is from "https://testweb2.com", Chrome failed to load https://testjs.com/third-party.js because it try to use the cache which has "Access-Control-Allow-Origin" point to "https://testweb.com" which doesn't match to current origin "https://testweb2.com"

Comment 1 by dtapu...@chromium.org, Nov 15 2017

Components: Blink>SecurityFeature

Comment 2 by mkwst@chromium.org, Nov 15 2017

Components: -Blink>SecurityFeature Blink>SecurityFeature>CORS
Owner: tyoshino@chromium.org
Status: Untriaged (was: Unconfirmed)
tyoshino@ Can you triage this?

Comment 3 by mkwst@chromium.org, Nov 16 2017

Status: Assigned (was: Untriaged)

Comment 4 by ajn...@gmail.com, Jan 9 2018 

I have a similar issue, maybe related:

I have a page with an image embedded with <img src="https://othersite.com/image.png">. I only set the allow-control-access-origin header only if the origin header is present in the request.
After I loaded the page and I try to download the same image with ajax, it will fail with an error "No 'Access-Control-Allow-Origin' header is present on the requested resource.", because the browser tries to use the cached headers of the first response where the allow-control-access-origin header were not set.

Here is a simple demo: https://ajnasz.hu/files/grim-spirit/index.html

Comment 5 by ricea@chromium.org, May 7 2018

Status: WontFix (was: Assigned)
#1 testjs.com needs to set a "Vary: Origin" header on its response. This will force the browser to do a network request when the Origin header is different.

#4 I think the same applies in your case.

See https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches for the relevant standard text.

Sign in to add a comment