I have problem with the way Safari handles CORS requests. Consider following scenario:
This works in Chrome, FF, but it fails on Safari (tested on Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9).
When I make the request without xhr.withCredentials turned on, first, Safari makes a OPTIONS preflight request prior actual request to DomainC, which IMHO is not nessesary as all request are simple request, but that I can handle. Problem is Safari fails after preflight request to DomainC saying "Cannot make any request from null". I can bypass this by setting Access-Control-Allow-Origin to * and drop Access-Control-Allow-Credentials header (those are mutually exclusive), which would make this scenario work. However I still think this is not correct behavior.
Now, thing is I need credentials to be passed by (and no, I can not pass it some other way as it depends on some third party servers). So, let's set
xhr.withCredentials
to true and we are back to "Cannot make any request from null" and now even wildcarding Access-Control-Allow-Credentials does not help.
I think all CORS headers are set properly, but please feel free to check me. Test example can be found here: http://a.ihatesafari.com
What is going on here? Is it a bug or am I missing something?
Thanks for answers
Simple CORS requests will follow redirects. Preflight requests will not follow redirects. If the redirect is to the same server as the original request, the Origin header will stay the same. Otherwise, the Origin header will be set to null .
How to fix it? You should only use 302 redirects where the redirection is temporary and content will come back to the original URL soon. Check the reported URLs. Where the redirection is permanent, change the redirection to 301 (Moved Permanently).
The 302 status code is a redirection message that occurs when a resource or page you're attempting to load has been temporarily moved to a different location. It's usually caused by the web server and doesn't impact the user experience, as the redirect happens automatically.
What is a 302 redirect? Whereas a 301 redirect is a permanent relocation of your URL, a 302 redirect is a temporary change that redirects both users and search engines to the desired new location for a limited amount of time, until the redirect is removed.
I was experiencing this issue as well and found this bug from 2012 that appears to be describing it. Running the test code referenced in the bug in FF / Chrome / Safari yielded failures only in Safari. It appears that the bug has not been patched.
Ultimately to get around this, I modified our HTTP API to add an optional query parameter to trigger a different response that returned a 200 OK with a JSON body containing the url that the client was to follow. Unfortunately if you're a consumer of someone else's HTTP API this won't help much.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With