New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 813516 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Feb 2018
Cc:
mkwst@chromium.org
tyoshino@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

CORS failure on GET 403 response

Reported by rootwall...@gmail.com, Feb 19 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
1. Have a REST service, that legitimately responds to certain requests with a 403 (Forbidden). 
2. Using AJAX make a GET request across origins (in my case i used JQuery 3.0).
3. The browser makes an OPTIONS preflight request, which succeeds (204).
4. Followed by a GET request, which fails with 403.

What is the expected behavior?
Since the OPTIONS request succeeded, the 403 is a legitimate response, and therefore the xhr object should contain the full response from the server.

What went wrong?
When the GET request fails, the console printed the standard "CORS origin missing" error and the xhr response status was set to 0.

Did this work before? No 

Chrome version: 63.0.3239.132  Channel: n/a
OS Version: 10.0
Flash Version:
Capture2.PNG
30.7 KB View Download

Comment 1 by krajshree@chromium.org, Feb 19 2018

Labels: Needs-Triage-M63

Comment 2 by junov@chromium.org, Feb 19 2018

Components: -Blink Blink>Network>XHR Blink>SecurityFeature>CORS

Comment 3 by mkwst@chromium.org, Feb 20 2018

Cc: tyoshino@chromium.org mkwst@chromium.org
Labels: -Needs-Triage-M63 Needs-Feedback
Status: Untriaged (was: Unconfirmed)
Does the 403 response contain reasonable CORS headers? That is, does it contain something like `Access-Control-Allow-Origin: [origin of requestor]`? Both the preflight and the response need to allow access to the requested resource in order for it to be available to JavaScript.

Comment 4 by rootwall...@gmail.com, Feb 20 2018 

No, nor should it, I think. Since the preflight had all of those, and succeeded.

Comment 5 by rootwall...@gmail.com, Feb 20 2018 

It is true, however, that if Access-Control-Allow-Origin is manually added to the 403 response, the browser then forwards the complete XHR.

Comment 6 by mkwst@chromium.org, Feb 20 2018

Status: WontFix (was: Untriaged)
The preflight is basically asking permission to ask for the resource in a certain way. Granting permission to ask for the resource doesn't grant permission to access the resource. I realize that that's complicated, but that's CORS. :)

You can access the GET response details iff the response allows you to access those details. The preflight doesn't play a role beyond allowing you to make the GET request in the first place.

Closing this out as working-as-intended, as it matches my understanding of both the spec and other vendors' behavior.

Sign in to add a comment