- From: Tim Berners-Lee <timbl@w3.org>
- Date: Sat, 12 Aug 2017 16:08:58 -0400
- To: Alex Russell <slightlyoff@google.com>
- Cc: Ralph Swick <swick@w3.org>, Yves Lafon <ylafon@w3.org>, www-archive@w3.org
- Message-Id: <BAA808E3-0BCA-45AF-845C-541D35D7A330@w3.org>
Alex Notwithstanding issues with the design of CORS, Chrome doesn’t in fact do it properly. If you request the same resource first from one origin and then from another, it serves the cached version, which then fails cord because the Origin and access-control-allow-origin headers don’t match. This even when the returned headers have “Vary: Origin”, which should prevent that same cached version being reused for a different origin. This has been a problem for a long time. It is frustrating. Do you have a timescale for fixing it in Chrome? Chrome Version 59.0.3071.115 (Official Build) (64-bit) Tim Console log: Fetch API cannot load https://dokie.li/new. The 'Access-Control-Allow-Origin' header has a value 'https://foobar.com' that is not equal to the supplied origin. Origin 'http://localhost:3080' is therefore not allowed access. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Network tab: Request URL:https://dokie.li/new Request Method:GET Status Code:200 (from disk cache) Remote Address:128.199.36.58:443 Referrer Policy:no-referrer-when-downgrade Response headers: accept-ranges:bytes access-control-allow-credentials:true access-control-allow-headers:Link, Location, Accept-Post, Content-Type access-control-allow-methods:POST, GET, HEAD, OPTIONS access-control-allow-origin:https://foobar.com access-control-expose-headers:User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, Content-Length content-length:2303 content-type:text/html; charset=UTF-8 date:Sat, 12 Aug 2017 15:00:31 GMT etag:"8ff-554fac4f3cdf1" last-modified:Sun, 23 Jul 2017 11:55:06 GMT server:Apache/2.4.25 (Ubuntu) status:304 vary:Origin,Accept-Encoding x-content-type-options:nosniff Request headers Provisional headers are shown accept:image/*;q=0.9, */*;q=0.1, application/rdf+xml;q=0.9, application/xhtml+xml, text/xml;q=0.5, application/xml;q=0.5, text/html;q=0.9, text/plain;q=0.5, text/n3;q=1.0, text/turtle;q=1 Origin:http://localhost:3080 Referer:http://localhost:3080/foobar/Public/Test/ User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 $ curl -I https://dokie.li/new HTTP/1.1 200 OK Date: Sat, 12 Aug 2017 19:52:41 GMT Server: Apache/2.4.25 (Ubuntu) Upgrade: h2,h2c Connection: Upgrade Last-Modified: Sun, 23 Jul 2017 11:55:06 GMT ETag: "8ff-554fac4f3cdf1" Accept-Ranges: bytes Content-Length: 2303 Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, HEAD, OPTIONS Access-Control-Allow-Headers: Link, Location, Accept-Post, Content-Type Access-Control-Expose-Headers: User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, Content-Length Vary: Origin,Accept-Encoding X-Content-Type-Options: nosniff Content-Type: text/html; charset=UTF-8 $
Received on Saturday, 12 August 2017 20:09:03 UTC