xmlhttprequest - Chrome & CORS with 302 redirects and withCredentials=true -

-

i having trouble chromium-based browsers , cors requests include 302 redirects. more specifically, having trouble chromium versions 34-42 inclusive; 43 , later works, , seems 33 , earlier versions worked (i didn't test far past 33, 28 worked).

my xhr request uses withcredentials=true, access-control-allow-origin="*" not allowed; server must reply access-control-allow-origin header echoes incoming request's origin header.

after receiving first 302, chromium 43 , later sends "origin: null" part of redirected request, , accepts 'access-control-allow-origin: null" in response (as firefox).

the chromium series of 34-42 send host name origin requests, , several issues time indicate cors redirects only supported access-control-allow-origin set "*", , "the original xhr must not have allow-credentials set true", example:

i hoping misconception, , there app developer can on client and/or server coerce versions not cancel redirect, or failing that, ideas workaround.

version 33 & earlier sent entire host name every request, , full roundtrip works.

one possibility workaround have been experimenting stems fact that, not need withcredentials=true cross-domain request, need redirect origin host exchange cookie-based authentication access_token, not find way client send cookie when following 302 unless sent original cross-domain request.

to illustrate, here excerpts chrome://net-internals/#events log successful request using chrome 43:

    [img src]     http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg?timestamp=1437075435614 http/1.1         host: media-qa.example.com         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1568 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: x-http-method-override, content-type, x-requested-with         access-control-allow-origin: https://qa-app.example.com         content-type: text/html; charset=utf-8         location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437075435614      [get cross-domain access token]     http_transaction_send_request_headers     --> /oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437075435614 http/1.1         host: qa-app.example.com         origin: null         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1762 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: content-type, x-http-method-override, x-requested-with         access-control-allow-origin: null         content-type: text/html; charset=utf-8         location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437075435614&access_token=l221i4rc5r8ny2abp4lixo7apr6hlihttkrokkqi3tzusal7ne7aobclui432mast8b/nh7ksffrhscohk7p86lc4c9glkrn%2bze/ubjeg8gbrvlnxdjdzbffp9kabyr9ondm9b1budrav1q19it8ol3abzthrmng1e%2bmmt%2bvyk0qxlqq6ya/thfrgyc9xwfbkqw6bqsployvophzz4t3dgzimtd9hjcbluujzt7nf7icaobcar9ciuh8vlcp4wkomxk3aodslyu6iuztrhrss7oplbttxgmzblsaum%2bccfzdnu5tuh%2bqkmp2qqherwrjkunn9s5zcrzlxdugg8%2b698wh5zyfva%2b/pefykkf%2bauqkjbvicgq%2bgxcyocuqe4yju/gpmhsbc6gvvyfmtkdag4za1n4fvbmbb9u%2bhhzndw0kvj55n9qgj86lhzjddvfeivet0tvto1u0u6wp/tm4emxltmk3urbpeamwbt9ple8%3d      [url redirection service adds cloudfront signature]     http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437075435614&access_token=l221i4rc5r8ny2abp4lixo7apr6hlihttkrokkqi3tzusal7ne7aobclui432mast8b/nh7ksffrhscohk7p86lc4c9glkrn%2bze/ubjeg8gbrvlnxdjdzbffp9kabyr9ondm9b1budrav1q19it8ol3abzthrmng1e%2bmmt%2bvyk0qxlqq6ya/thfrgyc9xwfbkqw6bqsployvophzz4t3dgzimtd9hjcbluujzt7nf7icaobcar9ciuh8vlcp4wkomxk3aodslyu6iuztrhrss7oplbttxgmzblsaum%2bccfzdnu5tuh%2bqkmp2qqherwrjkunn9s5zcrzlxdugg8%2b698wh5zyfva%2b/pefykkf%2bauqkjbvicgq%2bgxcyocuqe4yju/gpmhsbc6gvvyfmtkdag4za1n4fvbmbb9u%2bhhzndw0kvj55n9qgj86lhzjddvfeivet0tvto1u0u6wp/tm4emxltmk3urbpeamwbt9ple8%3d http/1.1         host: media-qa.example.com         origin: null         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1568 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: x-http-method-override, content-type, x-requested-with         access-control-allow-origin: null         content-type: text/html; charset=utf-8         location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437075499&signature=rpcvix5lcf5~arah0wxhsob3sn7zfxxiwnal8eodlsliz5c9ycic1wf~sjwtnwd5fxs~sbhexiz37oqjhjed3mtpixamupjo1mq-v8acc8n-gewbivmqrw9kcjcrmtquss7tynafqopv0bpqkh2g1xvdfodaozzwso7pxnpr50c2ndydd-wmznlkj657dj4-wcl8zjdupogixsfcxm1azgy5p034scl8jb8zyeh1budszlkqa8lipsy08mt9t8zjfcr2i6bqbznzoqut3jboey8vprl4lmtyomvjantabevzc6rq6cm~jd~ya2fockk5bngyxm043ou71nexs0lhtg__&key-pair-id=apkajnuaahkhvosppxtq         set-cookie: [349 bytes stripped]      [finally, cloudfront image]     http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437075499&signature=rpcvix5lcf5~arah0wxhsob3sn7zfxxiwnal8eodlsliz5c9ycic1wf~sjwtnwd5fxs~sbhexiz37oqjhjed3mtpixamupjo1mq-v8acc8n-gewbivmqrw9kcjcrmtquss7tynafqopv0bpqkh2g1xvdfodaozzwso7pxnpr50c2ndydd-wmznlkj657dj4-wcl8zjdupogixsfcxm1azgy5p034scl8jb8zyeh1budszlkqa8lipsy08mt9t8zjfcr2i6bqbznzoqut3jboey8vprl4lmtyomvjantabevzc6rq6cm~jd~ya2fockk5bngyxm043ou71nexs0lhtg__&key-pair-id=apkajnuaahkhvosppxtq http/1.1         host: gbbrsh.cloudfront.net         origin: null         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/43.0.2357.65 safari/537.36         referer: https://qa-app.example.com/media/photos/     http_transaction_read_response_headers     --> http/1.1 200 ok         content-length: 48776         access-control-allow-origin: null         access-control-allow-methods:         access-control-max-age: 3000         access-control-allow-credentials: true         vary: origin

and here unsuccessful log using version 42, note redirects using 43 above sent "origin: null", 42 sends host name (which server replies with), , client cancels request:

    http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg?timestamp=1437074740624 http/1.1         host: media-qa.example.com         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1571 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: x-http-method-override, content-type, x-requested-with         access-control-allow-origin: https://qa-app.example.com         location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437074740624      http_transaction_send_request_headers     --> /oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437074740624 http/1.1         host: qa-app.example.com         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1769 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: content-type, x-http-method-override, x-requested-with         access-control-allow-origin: https://qa-app.example.com         location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437074740624&access_token=jbxemck/weq2tjovtgwuxdzb1ggmbqldix3z5wfswflf2azvmcud99wtau%2bbervxm6lk1mrp1ubm/bf59urps9uxmlyc%2bnk6layqrubho3umbnzk967w/5f9/1ynfrhqe1y9fgrskddqjdzdowkmavyscw%2bn1ofkrb4tykz9owja1wruim82mt5uzdb5exvlunlccgqt9ljn6ydhpm7ujmwqmg8v0kfpikl4zgb/5wfxxa2njy1qq3gbfgfqid49vw/xdp6b9q9kril4d/nuluocruvw5ihzciqygpnjl1garcvr%2b5%2bbbkbw3c0gou4x/ojiewnds2pyppxngkploy88l4gcjpgw%2bxmdip4wugcojhrporbjp2y87anay1k6bsi1j9xhxisnjxt7pmsyxpbfmycoawv/w1fh1e/tu1ygxjhaohax%2b19bxoiypwfjvw3djggbkn1jro%2bde%2bolgjfextfarwfx4nycenyyad0%3d         vary: accept-encoding   url_request_delegate  [dt=0]  +url_request_delegate  [dt=3]     delegate_info  [dt=3]     --> delegate_info = "asyncresourcehandler"  -url_request_delegate   cancelled

as mentioned, if go version 33, works though client sending host name in origin header requests:

    http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg?timestamp=1437076851710 http/1.1         host: media-qa.example.com         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1550 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: x-http-method-override, content-type, x-requested-with         access-control-allow-origin: https://qa-app.example.com         location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437076851710      http_transaction_send_request_headers     --> /oauth/authorize/?request_uri=https%3a//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq%3d%3d.jpg%3ftimestamp%3d1437076851710 http/1.1         host: qa-app.example.com         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1763 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: content-type, x-http-method-override, x-requested-with         access-control-allow-origin: https://qa-app.example.com         location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437076851710&access_token=c30mmvgozsztkpm3vgmnflzepkkt//%2bizk5gbr39dvpfiaezfjnmocxj0ucch10jce0yvoirt8yishervvgzlgpy2rr2ywxkh1isycl0ungyop2bdyyz1cjnawnryz4qs0uctdqikngzi3oc10tdiwzhz8aaofaosrfejpqrt553axjpzr2se4z73ttu2pd%2b7ilicarbjp0r9yhdaaaujgqhkbakclvvw5tarqberr1otxbf0cjn764ez/2geqcrhvo0rtvuqguvpt/sur9yfyuh1b/rfozj0o/oj8reueg2c8p/o1zrpn8emkmb%2bvwlxg97dpo6qpqmzgvayczsudwgfvpnj8wctxedqf0rzqmv3hg71std9lk30bb46sdtup24w7th4pxqjy0cwbupammz/mklwuswy6lerx7ibb7gp%2b9oscleheaxkwfr%2bd63rfpmtwbthkof/pjio%2bbmoxjz07ejyaeyxdtfolmfvm8%3d         vary: accept-encoding      http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?timestamp=1437076851710&access_token=c30mmvgozsztkpm3vgmnflzepkkt//%2bizk5gbr39dvpfiaezfjnmocxj0ucch10jce0yvoirt8yishervvgzlgpy2rr2ywxkh1isycl0ungyop2bdyyz1cjnawnryz4qs0uctdqikngzi3oc10tdiwzhz8aaofaosrfejpqrt553axjpzr2se4z73ttu2pd%2b7ilicarbjp0r9yhdaaaujgqhkbakclvvw5tarqberr1otxbf0cjn764ez/2geqcrhvo0rtvuqguvpt/sur9yfyuh1b/rfozj0o/oj8reueg2c8p/o1zrpn8emkmb%2bvwlxg97dpo6qpqmzgvayczsudwgfvpnj8wctxedqf0rzqmv3hg71std9lk30bb46sdtup24w7th4pxqjy0cwbupammz/mklwuswy6lerx7ibb7gp%2b9oscleheaxkwfr%2bd63rfpmtwbthkof/pjio%2bbmoxjz07ejyaeyxdtfolmfvm8%3d http/1.1         host: media-qa.example.com         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36         referer: https://qa-app.example.com/media/photos/         cookie: [1550 bytes stripped]     http_transaction_read_response_headers     --> http/1.1 302 found         access-control-allow-credentials: true         access-control-allow-headers: x-http-method-override, content-type, x-requested-with         access-control-allow-origin: https://qa-app.example.com         location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437076916&signature=wbdgsqxer-zareygid1~da8puanubha4wruft-wi5soh4z-5ayw35uocog7duc9fonaqaeu5nvp8hkdofdb--ic4amh0e~lmhaj38gtp-lhnyyfqdpjjoemgm2gy3sb0kg7qa8~etxx9jkdjtcg9hkf0epievuwwixekgyasbe0tkr4clyhnd3sidjbfgcqqz7nmhmb-3vosqdkykkz9sebuiqo0qbl8svqbkmeiufxcf2mrir4hvdejfqsse3ysbbhimlkainaeokemizeajnhb-ncn31lvy4lo1lxiycqkh9qwpopa6ukk0wryxwwiti2vraaxsjm-xgbgiiarma__&key-pair-id=apkajnuaahkhvosppxtq      http_transaction_send_request_headers     --> /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bwfpbi1ulw4tmc0wltatnduwltq0nq==.jpg?expires=1437076916&signature=wbdgsqxer-zareygid1~da8puanubha4wruft-wi5soh4z-5ayw35uocog7duc9fonaqaeu5nvp8hkdofdb--ic4amh0e~lmhaj38gtp-lhnyyfqdpjjoemgm2gy3sb0kg7qa8~etxx9jkdjtcg9hkf0epievuwwixekgyasbe0tkr4clyhnd3sidjbfgcqqz7nmhmb-3vosqdkykkz9sebuiqo0qbl8svqbkmeiufxcf2mrir4hvdejfqsse3ysbbhimlkainaeokemizeajnhb-ncn31lvy4lo1lxiycqkh9qwpopa6ukk0wryxwwiti2vraaxsjm-xgbgiiarma__&key-pair-id=apkajnuaahkhvosppxtq http/1.1         host: gbbrsh.cloudfront.net         origin: https://qa-app.example.com         user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/33.0.1750.117 safari/537.36         referer: https://qa-app.example.com/media/photos/     http_transaction_read_response_headers     --> http/1.1 200 ok         access-control-allow-origin: https://qa-app.example.com         access-control-allow-methods:         access-control-max-age: 3000         access-control-allow-credentials: true         vary: origin


Comments

Post a Comment

Popular posts from this blog

php - Zend Framework / Skeleton-Application / Composer install issue -

-
i trying create zend framework application using skeleton in netbeans. when run composer install, following error message: "c:\php\php.exe" "c:\composer\composer.phar" "--ansi" "--no-interaction" "update" "--dev" using deprecated option "dev". dev packages installed default now. loading composer repositories package information updating dependencies (including require-dev) requirements not resolved installable set of packages. problem 1 - package requires php >=5.5 php version (5.4.42) not satisfy requirement. problem 2 - installation request zendframework/zendframework 2.5.1 -> satisfiable zendframework/zendframework[2.5.1]. - zendframework/zendframework 2.5.1 requires php >=5.5 -> php version (5.4.42) not satisfy requirement. done. apparently, zend framework only needs php 5.3+ contradicts above. need use php 5.4. my composer.json following: { "name": "
Read more

c# - Better 64-bit byte array hash -

-
i need hash algorithm produces 64-bit hash code ( long ) fewer collisions string.gethashcode() , fast (no expensive calls cryptographic functions). here's implementation of fnv still shows 3% of collisions after testing 2 million random strings. need number way lower. void main() { const string chars = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz!#@$%^&*()_+}{\":?><,./;'[]0123456789\\"; const int n = 2000000; var random = new random(); var hashes = new hashset<long>(); int collisions = 0; for(int = 0; < n; i++) { var len = random.next(chars.length); var str = new char[len]; (int j = 0; j < len; j++) { str[j] = chars[random.next(chars.length)]; } var s = new string(str); if(!hashes.add(get64bithash( s ))) collisions++; } console.writeline("collision percentage after " + n + " random strings: " + ((doubl
Read more

python - PyCharm Type error Message -

-
i'm newbie trying out ml/dbn in python (3.4) under pycharm (comm.ed 4.5). following definition def make_thetas(xmin,xmax,n): xs = np.linespace(xmin,xmax,n) widths = (xs[1:] - xs[:-1])/2.0 thetas = xs[:-1] + widths return thetas throws error "class 'tuple' not define ' sub ', '-' operator cannot used on instance" on - operator on third line (widths = ....) ideas on how code running under pycharm - works alright in interactive python window. thx. to all, after g'g lot have found workaround seems work within pycharm. workaround because (even python newbie) expected python not need explicit typecasting, not when using datatypes imported lib such numpy. def make_thetas(xmin,xmax,n): xs = np.array(np.linspace(xmin,xmax,n)) widths = (xs[1:] - xs[:-1])/2.0 thetas = xs[:-1]+ widths return thetas using docstrings type-hinting such below did not work def make_thetas(xmin,xmax,n): "&q
Read more