We're POSTing an AJAX request to a server running locally, i.e.
xhr.open("POST", "http://localhost:9000/context/request");
xhr.addHeader(someCustomHeaders);
xhr.send(someData);
The page that this javascript is being executed is also being served from localhost:9000, i.e. this totally looks like a same-origin request.
However, for some reason, Google Chrome always sets an Origin header in the resulting request, causing our server to block the request based on the false assumption that it's CORS request.
This does not happen in Firefox.
Also, neither Firefox nor Chrome are sending an OPTIONS preflight request, which is confusing; why set an Origin header without first preflighting to make sure the the Origin and the Custom headers are allowed by the server?
Does anyone know what is going on in this case? Are we misunderstanding the CORS spec?
Chrome and Safari include an Origin
header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header). Firefox doesn't include an Origin
header on same-origin requests. Browsers don't expect CORS response headers on same-origin requests, so the response to a same-origin request is sent to the user, regardless of whether it has CORS headers or not.
I would recommend checking the Host
header, and if it matches the domain in the Origin
header, don't treat the request as CORS. The headers look something like this:
Host: example.com
Origin: http://example.com
Note that Origin
will have the scheme (http/https), domain and port, while Host
will only have the domain and port.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With