Issue metadata
Sign in to add a comment
|
Access-Control-Allow-Origin CORS header contains wrong protocol
Reported by
stefan.g...@googlemail.com,
Oct 2
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Example URL: http://localhost:8080 Steps to reproduce the problem: I am developing a Vue.js application using a local development server (i.e. http://localhost:8080 ). This approach is also usual for other popular web frontend frameworks such as Angular or React. I want to fetch and display data from a remote system (i.e. https://jsonplaceholder.typicode.com/comments ) which in turns needs to implement CORS headers. Until recently, this has worked as expected: Chrome sends pre-flight OPTIONS request, remote server responds with headers (see below), actual HTTP request takes place. In order to reproduce the issue, you would need: - A frontend application running on http://localhost:8080 open in Chrome - A remote server to be called, i.e. https://jsonplaceholder.typicode.com/comments for debugging purposes - A call which can be triggered from your frontend application, e. g. on page load or via button click. What is the expected behavior? Expected behavior: As headers in response to the pre-flight request are sent, the following HTTP request is allowed. CORS headers as seen sent by server in HTTP response: Access-Control-Allow-Methods →DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT Access-Control-Allow-Origin →http://localhost:8080 This set of CORS headers can be seen in the response when using Firefox's dev tools, Safari, Postman (using the same set of request headers), or simply server logs if you are controlling the remote server. What went wrong? Since recently (less than a week ago), Chrome dev tools will show the following CORS headers: access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE access-control-allow-origin: https://localhost:8080 As you can see, "https" is depicted as the allowed protocol for the "access-control-allow-origin" header. However, "http" was sent by the server. This leads to the following error message being printed in the Chrome dev console: "Failed to load https://jsonplaceholder.typicode.com/comments: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://localhost:8080' that is not equal to the supplied origin. Origin 'http://localhost:8080' is therefore not allowed access." This means that the local development setup for any developer using a local development server with a remote CORS-enabled API is dysfunctional using the latest Chrome build. I can use Firefox as a fallback for now and there are CORS extensions for Chrome; yet I would prefer to be able to use Chrome for developing again as before. Did this work before? Yes Chrome version from stable channel, less than one week ago Chrome version: 69.0.3497.100 Channel: stable OS Version: OS X 10.13.5 Flash Version:
,
Oct 3
,
Oct 3
Can you provide a file set that serves local http server and allow us to reproduce the issue by accessing it? We do not make such change, and have some tests. So something may be special in your case.
,
Oct 3
,
Oct 4
I attached an HTML file which can be used to reproduce the issue. Required steps: 1. Place file in <some folder>. 2. cd <some folder> && python -m SimpleHTTPServer 3. Open http://localhost:8000 in Chrome. 4. Observe CORS failure in DevTools console or network tab.
,
Oct 4
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 4
Also could you try checking actual network request/response in chrome://net-internals? My best guess is you are seeing a response from a proxy or a cache, and other browsers can revalidate it for some reasons.
,
Oct 4
,
Oct 9
Did not work in the last days, even in private mode and without cache. Just tried again - it works now, without any modifications to the extensions. Thanks for the tip regarding chrome://net-internals and the quick responses; issue can be closed.
,
Oct 9
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 10
As per comment #10 we are closing this issue as Won't fix. @Reporter: Please feel to raise a new issue if issue is seen in future. Thanks..! |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmenke@chromium.org
, Oct 2