W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Accessing the same CORS-Resource from multiple sites

From: Reto Gmür <me@farewellutopia.com>
Date: Mon, 27 Jun 2016 14:45:19 +0200
Message-Id: <1467031519.398379.649603409.5B4D7C5C@webmail.messagingengine.com>
To: public-webappsec@w3.org

When I first encountered the issue, I thought it would be a browser-bug,
seeing that it's not working in any browser I tried makes me think that
I might be missing something.

When requesting the same remote resource from pages on different hosts
the requests succeeds on the first request and on subsequent requests
from pages on the same host but fails on pages on another host. I've
seen this behaviour in firefox, chromium and edge but strangely enough
not always.

To try it out check out, access these pages in any order (the pages are
identical, only the hostname differs):


After pressing the "Request data" button on the first page you will see
a dialog with the contents of the remote resource, if you try to do the
same on the other host you might see the following on the browser

    Cross-Origin Request Blocked: The Same Origin Policy disallows
    reading the remote resource at
    https://www.w3.org/People/Berners-Lee/card.rdf. (Reason: CORS header
    'Access-Control-Allow-Origin' does not match

It seems that the browser is caching some inferred
Access-Control-Allow-Origin-Header and then complaining that the new
host doesn't match. Note that the server actually return "*" as value of
the header.

I think it should be a very common usecase to include a CORS-Accessible
resource into pages on multiple hosts so I'm very puzzled to see that
this isn't working in any browser that I've tried. 


PS: I originally described my problem here:
Received on Monday, 27 June 2016 12:45:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC