xmlhttprequest - Chrome & CORS with 302 redirects and withCredentials=true -
i having trouble chromium-based browsers , cors requests include 302 redirects. more specifically, having trouble chromium versions 34-42 inclusive; 43 , later works, , seems 33 , earlier versions worked (i didn't test far past 33, 28 worked).
my xhr request uses withcredentials=true, access-control-allow-origin="*" not allowed; server must reply access-control-allow-origin header echoes incoming request's origin header.
after receiving first 302, chromium 43 , later sends "origin: null" part of redirected request, , accepts 'access-control-allow-origin: null" in response (as firefox).
the chromium series of 34-42 send host name origin requests, , several issues time indicate cors redirects only supported access-control-allow-origin set "*", , "the original xhr must not have allow-credentials set true", example:
i hoping misconception, , there app developer can on client and/or server coerce versions not cancel redirect, or failing that, ideas workaround.
version 33 & earlier sent entire host name every request, , full roundtrip works.
one possibility workaround have been experimenting stems fact that, not need withcredentials=true cross-domain request, need redirect origin host exchange cookie-based authentication access_token, not find way client send cookie when following 302 unless sent original cross-domain request.
to illustrate, here excerpts chrome://net-internals/#events log successful request using chrome 43:
[img src] http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg?timestamp=1437075435614 http/1.1 host: media-qa.example.com origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1568 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: x-http-method-override, content-type, x-requested-with access-control-allow-origin: https://qa-app.example.com content-type: text/html; charset=utf-8 location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437075435614 [get cross-domain access token] http_transaction_send_request_headers --> /oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437075435614 http/1.1 host: qa-app.example.com origin: null user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1762 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: content-type, x-http-method-override, x-requested-with access-control-allow-origin: null content-type: text/html; charset=utf-8 location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437075435614&access_token=l221i4rc5r8ny2abp4lixo7apr6hlihttkrokkqi3tzusal7ne7aobclui432mast8b/nh7ksffrhscohk7p86lc4c9glkrn%2bze/ubjeg8gbrvlnxdjdzbffp9kabyr9ondm9b1budrav1q19it8ol3abzthrmng1e%2bmmt%2bvyk0qxlqq6ya/thfrgyc9xwfbkqw6bqsployvophzz4t3dgzimtd9hjcbluujzt7nf7icaobcar9ciuh8vlcp4wkomxk3aodslyu6iuztrhrss7oplbttxgmzblsaum%2bccfzdnu5tuh%2bqkmp2qqherwrjkunn9s5zcrzlxdugg8%2b698wh5zyfva%2b/pefykkf%2bauqkjbvicgq%2bgxcyocuqe4yju/gpmhsbc6gvvyfmtkdag4za1n4fvbmbb9u%2bhhzndw0kvj55n9qgj86lhzjddvfeivet0tvto1u0u6wp/tm4emxltmk3urbpeamwbt9ple8%3d [url redirection service adds cloudfront signature] http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437075435614&access_token=l221i4rc5r8ny2abp4lixo7apr6hlihttkrokkqi3tzusal7ne7aobclui432mast8b/nh7ksffrhscohk7p86lc4c9glkrn%2bze/ubjeg8gbrvlnxdjdzbffp9kabyr9ondm9b1budrav1q19it8ol3abzthrmng1e%2bmmt%2bvyk0qxlqq6ya/thfrgyc9xwfbkqw6bqsployvophzz4t3dgzimtd9hjcbluujzt7nf7icaobcar9ciuh8vlcp4wkomxk3aodslyu6iuztrhrss7oplbttxgmzblsaum%2bccfzdnu5tuh%2bqkmp2qqherwrjkunn9s5zcrzlxdugg8%2b698wh5zyfva%2b/pefykkf%2bauqkjbvicgq%2bgxcyocuqe4yju/gpmhsbc6gvvyfmtkdag4za1n4fvbmbb9u%2bhhzndw0kvj55n9qgj86lhzjddvfeivet0tvto1u0u6wp/tm4emxltmk3urbpeamwbt9ple8%3d http/1.1 host: media-qa.example.com origin: null user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1568 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: x-http-method-override, content-type, x-requested-with access-control-allow-origin: null content-type: text/html; charset=utf-8 location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437075499&signature=rpcvix5lcf5~arah0wxhsob3sn7zfxxiwnal8eodlsliz5c9ycic1wf~sjwtnwd5fxs~sbhexiz37oqjhjed3mtpixamupjo1mq-v8acc8n-gewbivmqrw9kcjcrmtquss7tynafqopv0bpqkh2g1xvdfodaozzwso7pxnpr50c2ndydd-wmznlkj657dj4-wcl8zjdupogixsfcxm1azgy5p034scl8jb8zyeh1budszlkqa8lipsy08mt9t8zjfcr2i6bqbznzoqut3jboey8vprl4lmtyomvjantabevzc6rq6cm~jd~ya2fockk5bngyxm043ou71nexs0lhtg__&key-pair-id=apkajnuaahkhvosppxtq set-cookie: [349 bytes stripped] [finally, cloudfront image] http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437075499&signature=rpcvix5lcf5~arah0wxhsob3sn7zfxxiwnal8eodlsliz5c9ycic1wf~sjwtnwd5fxs~sbhexiz37oqjhjed3mtpixamupjo1mq-v8acc8n-gewbivmqrw9kcjcrmtquss7tynafqopv0bpqkh2g1xvdfodaozzwso7pxnpr50c2ndydd-wmznlkj657dj4-wcl8zjdupogixsfcxm1azgy5p034scl8jb8zyeh1budszlkqa8lipsy08mt9t8zjfcr2i6bqbznzoqut3jboey8vprl4lmtyomvjantabevzc6rq6cm~jd~ya2fockk5bngyxm043ou71nexs0lhtg__&key-pair-id=apkajnuaahkhvosppxtq http/1.1 host: gbbrsh.cloudfront.net origin: null user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36 referer: https://qa-app.example.com/media/photos/ http_transaction_read_response_headers --> http/1.1 200 ok content-length: 48776 access-control-allow-origin: null access-control-allow-methods: access-control-max-age: 3000 access-control-allow-credentials: true vary: origin
and here unsuccessful log using version 42, note redirects using 43 above sent "origin: null", 42 sends host name (which server replies with), , client cancels request:
http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg?timestamp=1437074740624 http/1.1 host: media-qa.example.com origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1571 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: x-http-method-override, content-type, x-requested-with access-control-allow-origin: https://qa-app.example.com location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437074740624 http_transaction_send_request_headers --> /oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437074740624 http/1.1 host: qa-app.example.com origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1769 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: content-type, x-http-method-override, x-requested-with access-control-allow-origin: https://qa-app.example.com location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437074740624&access_token=jbxemck/weq2tjovtgwuxdzb1ggmbqldix3z5wfswflf2azvmcud99wtau%2bbervxm6lk1mrp1ubm/bf59urps9uxmlyc%2bnk6layqrubho3umbnzk967w/5f9/1ynfrhqe1y9fgrskddqjdzdowkmavyscw%2bn1ofkrb4tykz9owja1wruim82mt5uzdb5exvlunlccgqt9ljn6ydhpm7ujmwqmg8v0kfpikl4zgb/5wfxxa2njy1qq3gbfgfqid49vw/xdp6b9q9kril4d/nuluocruvw5ihzciqygpnjl1garcvr%2b5%2bbbkbw3c0gou4x/ojiewnds2pyppxngkploy88l4gcjpgw%2bxmdip4wugcojhrporbjp2y87anay1k6bsi1j9xhxisnjxt7pmsyxpbfmycoawv/w1fh1e/tu1ygxjhaohax%2b19bxoiypwfjvw3djggbkn1jro%2bde%2bolgjfextfarwfx4nycenyyad0%3d vary: accept-encoding url_request_delegate [dt=0] +url_request_delegate [dt=3] delegate_info [dt=3] --> delegate_info = "asyncresourcehandler" -url_request_delegate cancelled
as mentioned, if go version 33, works though client sending host name in origin header requests:
http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg?timestamp=1437076851710 http/1.1 host: media-qa.example.com origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1550 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: x-http-method-override, content-type, x-requested-with access-control-allow-origin: https://qa-app.example.com location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437076851710 http_transaction_send_request_headers --> /oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437076851710 http/1.1 host: qa-app.example.com origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1763 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: content-type, x-http-method-override, x-requested-with access-control-allow-origin: https://qa-app.example.com location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437076851710&access_token=c30mmvgozsztkpm3vgmnflzepkkt//%2bizk5gbr39dvpfiaezfjnmocxj0ucch10jce0yvoirt8yishervvgzlgpy2rr2ywxkh1isycl0ungyop2bdyyz1cjnawnryz4qs0uctdqikngzi3oc10tdiwzhz8aaofaosrfejpqrt553axjpzr2se4z73ttu2pd%2b7ilicarbjp0r9yhdaaaujgqhkbakclvvw5tarqberr1otxbf0cjn764ez/2geqcrhvo0rtvuqguvpt/sur9yfyuh1b/rfozj0o/oj8reueg2c8p/o1zrpn8emkmb%2bvwlxg97dpo6qpqmzgvayczsudwgfvpnj8wctxedqf0rzqmv3hg71std9lk30bb46sdtup24w7th4pxqjy0cwbupammz/mklwuswy6lerx7ibb7gp%2b9oscleheaxkwfr%2bd63rfpmtwbthkof/pjio%2bbmoxjz07ejyaeyxdtfolmfvm8%3d vary: accept-encoding http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437076851710&access_token=c30mmvgozsztkpm3vgmnflzepkkt//%2bizk5gbr39dvpfiaezfjnmocxj0ucch10jce0yvoirt8yishervvgzlgpy2rr2ywxkh1isycl0ungyop2bdyyz1cjnawnryz4qs0uctdqikngzi3oc10tdiwzhz8aaofaosrfejpqrt553axjpzr2se4z73ttu2pd%2b7ilicarbjp0r9yhdaaaujgqhkbakclvvw5tarqberr1otxbf0cjn764ez/2geqcrhvo0rtvuqguvpt/sur9yfyuh1b/rfozj0o/oj8reueg2c8p/o1zrpn8emkmb%2bvwlxg97dpo6qpqmzgvayczsudwgfvpnj8wctxedqf0rzqmv3hg71std9lk30bb46sdtup24w7th4pxqjy0cwbupammz/mklwuswy6lerx7ibb7gp%2b9oscleheaxkwfr%2bd63rfpmtwbthkof/pjio%2bbmoxjz07ejyaeyxdtfolmfvm8%3d http/1.1 host: media-qa.example.com origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36 referer: https://qa-app.example.com/media/photos/ cookie: [1550 bytes stripped] http_transaction_read_response_headers --> http/1.1 302 found access-control-allow-credentials: true access-control-allow-headers: x-http-method-override, content-type, x-requested-with access-control-allow-origin: https://qa-app.example.com location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437076916&signature=wbdgsqxer-zareygid1~da8puanubha4wruft-wi5soh4z-5ayw35uocog7duc9fonaqaeu5nvp8hkdofdb--ic4amh0e~lmhaj38gtp-lhnyyfqdpjjoemgm2gy3sb0kg7qa8~etxx9jkdjtcg9hkf0epievuwwixekgyasbe0tkr4clyhnd3sidjbfgcqqz7nmhmb-3vosqdkykkz9sebuiqo0qbl8svqbkmeiufxcf2mrir4hvdejfqsse3ysbbhimlkainaeokemizeajnhb-ncn31lvy4lo1lxiycqkh9qwpopa6ukk0wryxwwiti2vraaxsjm-xgbgiiarma__&key-pair-id=apkajnuaahkhvosppxtq http_transaction_send_request_headers --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437076916&signature=wbdgsqxer-zareygid1~da8puanubha4wruft-wi5soh4z-5ayw35uocog7duc9fonaqaeu5nvp8hkdofdb--ic4amh0e~lmhaj38gtp-lhnyyfqdpjjoemgm2gy3sb0kg7qa8~etxx9jkdjtcg9hkf0epievuwwixekgyasbe0tkr4clyhnd3sidjbfgcqqz7nmhmb-3vosqdkykkz9sebuiqo0qbl8svqbkmeiufxcf2mrir4hvdejfqsse3ysbbhimlkainaeokemizeajnhb-ncn31lvy4lo1lxiycqkh9qwpopa6ukk0wryxwwiti2vraaxsjm-xgbgiiarma__&key-pair-id=apkajnuaahkhvosppxtq http/1.1 host: gbbrsh.cloudfront.net origin: https://qa-app.example.com user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36 referer: https://qa-app.example.com/media/photos/ http_transaction_read_response_headers --> http/1.1 200 ok access-control-allow-origin: https://qa-app.example.com access-control-allow-methods: access-control-max-age: 3000 access-control-allow-credentials: true vary: origin
Comments
Post a Comment