Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Debugging Access-Control-Allow-Origin with Chrome/WebKit

Tags:

http

cors

google-chrome

webkit

I'm trying to use Cross-Origin Resource Sharing with Access-Control-Allow-Origin and related headers. I have it working on Firefox, but Chrome is giving me permission errors, that look this like:

XMLHttpRequest cannot load <remote>. Origin <local> is not allowed by Access-Control-Allow-Origin.

The network inspector shows the request but no response (and doesn't include the OPTIONS preflight request and response). I inspected the request output using curl and reproducing all the headers, and what I see fits what the specification implies (and again, what Firefox accepts). I'm at a loss how to debug this further -- are there tricks for seeing the network activity at a lower level than what Chrome normally provides? Information about how Chrome interprets CORS requests differently than Firefox?

like image 936
Ian Bicking Avatar asked Jan 20 '11 23:01

Ian Bicking

1 Answers

I suspect what you're seeing is a preflight followed by a failing Chrome request due to a bug. That would explain why things work in Firefox but not in Chrome.

Are you sending any custom headers in your request? There's a bug in WebKit where GET requests with custom headers fails (bug here: http://code.google.com/p/chromium/issues/detail?id=57836). I've also noticed that Chrome sometimes expects the Content-Type header in the Access-Control-Allow-Headers list, even though Content-Type is a simple header.

Also, you mention that the network inspector doesn't include the OPTIONS preflight? Which network inspector are you using? I'd recommend using Wireshark, since this gives you details on the actual network traffic that Chrome's inspector doesn't provide (for example, Wireshark will log preflight requests).

Some other debugging tips:

Try the request out in Safari. This will help narrow it down to a Chrome bug or a WebKit bug.

The times I've seen the error you are seeing (Wireshark shows a request but not a response), it is because my server doesn't include the Access-Control-Allow-Origin header, which isn't included because Chrome isn't sending the Origin header (see bug above). In your network trace, do you see an Origin header in the request? Do you have control over the server, and if so, does it receive an Origin header?

Its tough to debug the actual issue without more details. If you are still having issues, can you post request/response headers here?

like image 124
monsur Avatar answered Sep 23 '22 01:09

monsur
Sign in to Comment

Related questions

Websocket - Should client send ping frames?
How to deal with browser's limit of parallel requests per domain in case of a priority AJAX request?
How do I add a custom HTTP Request Header to a Thymeleaf generated Form or Link?
HTTP referrer - AWS, Sharepoint and browsers
How to get http responses from Firefox to machine readable format in real time?
Firebase Cloud Functions Secure HTTPS Endpoints with API key
http upload of huge files over slow network (interruptible)
What does "ERR_HTTP2_PING_FAILED" mean in Chrome error code?
How do I handle errors in Warp using both Rejection and the question-mark operator?
net/http server does not send 100 Continue unless client sends Transfer-Encoding: chunked or nonzero Content-Length
API design to allow client to pick server
How to choose the max thread count for an HTTP servlet container?
RESTifying URLs
Does HttpWebRequest send 200 OK automatically?
Make HTTP/1.1 request with PHP
Should I use the java.net or org.apache.http library for HTTP in my Java application?
Will PHPs fopen follow 301 redirects?
correct HTTP response headers to cause 304s after content expiration
Rails 3, HTTP extensions (WebDAV) and Rack App mounting
"A registration already exists for URI" when hosting same service for HTTPS and HTTP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!