ajax option method error in HSTS
Reported by
feifeipa...@gmail.com,
Jan 7
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Steps to reproduce the problem: 1. upgrade the site to HSTS 2. Make an ajax call using OPTION method 3. Error happened because the response status code is no 200 https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 What is the expected behavior? What went wrong? An ajax call using OPTION method got error in HSTS site. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 70.0.3538.110 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version:
,
Jan 7
,
Jan 8
Thanks for filing the issue... @reporter: Could you please provide a sample URL that reproduces the issue so that it would be really helpful for triaging the issue.
,
Jan 15
1. set webresource.c-ctrip.com to chrome://net-internals/#hsts list 2. visit http://m.ctrip.com 3. error occured:"Access to XMLHttpRequest at 'http://webresource.c-ctrip.com/ResADVOnline/R2/dist/sales/lasttime.v2.0.js' from origin 'http://m.ctrip.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request."
,
Jan 15
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Yesterday
(44 hours ago)
This is a predictable result of our internal implementation of HSTS as a 307 redirect. We should probably exclude internal redirects from this CORS check, which looks like it might be what Firefox is doing. +toyoshim@ for opinions. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by morlovich@chromium.org
, Jan 7