New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 864501 link

Starred by 2 users
Status: WontFix
Owner:
creis@chromium.org
Closed: Sep 5
Cc:
mkwst@chromium.org
nick@chromium.org
creis@chromium.org
lukasza@chromium.org
phanindra.mandapaka@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Yet another CORB false positive

Reported by fritz.fl...@gmail.com, Jul 17 
Chrome Version       : 69.0.3493.0 (Official Build) canary (64-bit)
Other browsers tested: N/A

What steps will reproduce the problem?

(1) Setup a local dev server which runs on localhost:8010

(2) Put this code in the server
const http = require('http');
const PORT = 8010;
const HOST = 'localhost';

const schema = {
  title: 'Todo',
  type: 'object',
  required: ['title'],
  properties: {
    title: { type: 'string', title: 'Title', default: 'A new task' },
    done: { type: 'boolean', title: 'Done?', default: false },
  },
};

const server = http.createServer(async (req, res) => {
  await fakeDelay();
  res.setHeader('Content-Type', 'application/json');
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.end(JSON.stringify(schema));
});
server.listen(PORT, HOST, 10, () => {
  console.log(`Started http://${HOST}:${PORT}`);
});

function fakeDelay() {
  return new Promise(resolve => {
    setTimeout(() => resolve(), 20);
  });
}

(3) run the server: node server.js

(4) create any client with the following code
fetch('http://localhost:8010/')
      .then(res => res.json())
      .then(json => {
        console.log('>>>>>>>>', json);
      });


What is the expected result?
The client loads the json


What happens instead?
One of this bloody CORB messages:
Cross-Origin Read Blocking (CORB) blocked cross-origin response http://localhost:8010/ with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.


Please provide any additional information below. Attach a screenshot if
possible.

Comment 1 by viswa.karala@chromium.org, Jul 17

Labels: Needs-Triage-M69

Comment 2 by phanindra.mandapaka@chromium.org, Jul 19

Cc: creis@chromium.org phanindra.mandapaka@chromium.org
Components: Blink>SecurityFeature
Labels: Triaged-ET
As per comment #0, CC'ing Dev for help in triaging this further.

Thanks...!

Comment 3 by mkwst@chromium.org, Jul 24

Cc: mkwst@chromium.org
Owner: lukasza@chromium.org
In step 4, is the client you're loading also on `http://localhost:8010`? If not, the cross-origin response could be reasonably blocked, since we wouldn't expose the data without CORS. Perhaps add `Access-Control-Allow-Origin: *` to the response headers?

Assigning to lukasza@ for additional triage if necessary.

Comment 4 by mkwst@chromium.org, Jul 24

Status: Assigned (was: Unconfirmed)

Comment 5 by creis@chromium.org, Jul 24

Cc: lukasza@chromium.org nick@chromium.org
Labels: Needs-Bisect
Owner: creis@chromium.org
lukasza@ is still out for a bit, but I agree-- if the client is cross-origin, then I think it wouldn't be allowed to receive the data even with CORB disabled.

Do you see it working when you run Chrome with --disable-features=CrossSiteDocumentBlockingAlways,CrossSiteDocumentBlockingIfIsolating,site-per-process,IsolateOrigins or do you still see an error?

Comment 6 by susan.boorgula@chromium.org, Jul 27 

Tried testing the issue on Windows 10 on the latest Canary 70.0.3503.0 as per comment #1, but unable to bisect this as of now as Node.js setup is not working. 
On instaliing node.js on my desktop and when entering 'node -v' to get the version, getting the error "ReferenceError: node is not defined".

Will try to resolve this issue and provide an update on the same.

Thanks..

Comment 7 by mkwst@chromium.org, Jul 27

Labels: -Needs-Bisect -Needs-Triage-M69
This doesn't need a bisect, thank you susan.boorgula@!

Comment 8 by creis@chromium.org, Jul 30

Labels: Needs-Feedback
Oops, my fault on the Needs-Bisect label from comment 5.  That was supposed to be Needs-Feedback, based on the questions in comments 3 and 5.

Comment 9 by ka.gema...@gmail.com, Sep 5 

With Chrome 68, trying to query a Wikipedia OpenSearch server, I also get a CORB block:

---

... SyntaxError: Unexpected end of input ...

---

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://en.wikipedia.org/w/api.php?action=opensearch&format=json&search=google&limit=10&suggest=1&redirects=return with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.

---

It is a false positive, isn't it ?

Is there any plan to relax CORS & CORB rules for PWA (although that looks quiet difficult, though) ?

Comment 10 by lukasza@chromium.org, Sep 5 

RE: #c9: ka.gemayel@: Can you please open a separate bug - the issue you are describing seems independent from what is tracked in the current bug ( issue 864501 ).  In the new bug, can you please provide repro steps (which would hopefully help understand how CORS is interacting with PWA;  maybe something related to service workers / foreign fetch)?

Comment 11 by creis@chromium.org, Sep 5

Status: WontFix (was: Assigned)
Comments 9-10: Agreed, please file a separate bug with more info on how you're making that request.

For this bug, I haven't heard back from the original poster about comments 3 and 5.  Since it doesn't sound like something that would work without CORB, I'll close this as WontFix.

Sign in to add a comment