Issue metadata
Sign in to add a comment
|
Chrome doesn't invalidate CORS cache when Origin header is changed
Reported by
vioi...@gmail.com,
Aug 7
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36 Example URL: https://portal.loganalytics.io/demo Steps to reproduce the problem: 1. Open a browser tab and go to: https://portal.loganalytics.io/demo 2. Open a second browser tab and go to: https://analytics.applicationinsights.io/demo What is the expected behavior? Both domains are sernved by the same web service that uses the same CDN. Both tabs should load their static files from the CDN service. The CDN service is configured to return the "Access-Control-Allow-Origin" based on the given Origin header value. What went wrong? The second tab gets CORS errors, requests are sent to the origin service rather then CDN. The error message: Access to Script at 'https://applicationanalytics.azureedge.net/vs/editor/editor.main.min.js?_b=08d0e' from origin 'https://analytics.applicationinsights.io' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://portal.loganalytics.io' that is not equal to the supplied origin. Origin 'https://analytics.applicationinsights.io' is therefore not allowed access. Did this work before? Yes Not sure about the version, the new behavior was observed a week ago more or less. Chrome version: 68.0.3440.84 Channel: stable OS Version: 10.0 Flash Version: Trying to investigate the issue in our (and CDN side) we found that if Chrome gets the Vary header with the value "Origin" the cache is invalidated as expected when switching domains. However trying to change the Vary header value in CDN (we use Microsoft Azure CDN which uses Verizon CDN) we found that this header changes are blocked by design so the cache won't be bloated (there is 1 exception which is the "Vary: accept-encoding" value)
,
Aug 8
Unable to reproduce the issue on reported chrome version 68.0.3440.84 and on latest chrome version #70.0.3515.0 using Windows 10 by following below steps. Steps: --------- 1.Launched the chrome. 2.Opened https://portal.loganalytics.io/demo in first tab 3.Opened https://analytics.applicationinsights.io/demo in second tab , and observed that both pages loaded. Note: Also tried opening the two links in two diffrent windows, observed that the pages loaded. Attached screencast for reference. @Reporter: Could you please review the attached screen-cast and confirm if anything being missed here and request you to retry this issue with fresh profile without any extensions/apps or reset all the flags and let us know if issue still persists. Thanks.!
,
Aug 8
Hi, Thanks for checking the issue! The portal is loaded correctly as there is a fallback layer that sends the requests to the origin service rather than to CDN (This obviously affects user experience and performance). You may see the error if you open Developers tools in the second tab. See the attached screenshot. Thanks!
,
Aug 8
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 8
Chrome's caching behavior looks correct to me. Because the response changes depending on the "origin" header, it is imperative that the cached response include "vary: origin". This is noted in the Fetch spec: https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches If for whatever reason you aren't able to set the Vary, a workaround could be to change your access-control-allow-origin response header to include all the origins (rather than keying it off of the request Origin). For instance in this example this would also have worked: access-control-allow-origin: https://portal.loganalytics.io,https://analytics.applicationinsights.io
,
Aug 9
Hi, I have to admit your multiple values suggestion was my first attemp to resolve the issue, but then I got an error from Chrome that the access-control-allow-origin value is invalid as it contains multiple values. I'll try to reproduce it and will post the error message. Thanks a lot!
,
Aug 9
It doesn't look like comma-separated origins is allowed by the Fetch spec (not sure why https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin says it is a thing...)
,
Aug 9
Hi, I've managed to reproduce the error I got when multiple values are defined in the access-control-allow-origin header: Access to Script at 'https://applicationanalytics-int.azureedge.net/plugins/auth/laPortalAuthApp.js?_b=f75bed' from origin 'https://ailoganalyticsportal-int.cloudapp.net' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://ailoganalyticsportal-int.cloudapp.net,https://portal-int.loganalytics.io', but only one is allowed. Origin 'https://ailoganalyticsportal-int.cloudapp.net' is therefore not allowed access.
,
Aug 9
As eroman@ said, this is an expected error. https://fetch.spec.whatwg.org/#http-access-control-allow-origin https://fetch.spec.whatwg.org/#http-new-header-syntax The latest Fetch spec defines the A-C-A-O header as: > Access-Control-Allow-Origin = origin-or-null / wildcard > origin-or-null = origin / %x6E.75.6C.6C ; "null", case-sensitive > origin = scheme "://" host [ ":" port ] I think the mozilla's document is based on the old W3C's CORS spec, https://www.w3.org/TR/cors/#access-control-allow-origin-response-header, it allowed origin-list-or-null of https://tools.ietf.org/html/rfc6454#section-7.1 IIRC, a little old fetch spec explicitly said the Access-Control-Allow-Origin's definition was different from RFC's origin-list-or-null, but the latest spec just provides ABNF instead.
,
Aug 9
Ok thanks a lot everyone for your help! |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by manoranj...@chromium.org
, Aug 7