Why does this CORS request to a google Drive Sheet fail in Firefox ? (works in Chrome)

Question

I'm trying to request a google sheet from the client in javascript, using jquery ajax.

The following code works in Chrome but fails in Firefox.

Question : how can I get it to work in Firefox?

If it's a server configuration issue then does this mean it's impossible to link to google drive documents from a firefox client?

Here is the code:

var url = 'http://docs.google.com/spreadsheets/export?id=1-on_GfmvaEcOk7HcWfKb8B6KFRv166RkLN2YmDEtDn4&exportFormat=csv';
$.ajax({
    url : url,
    type : 'GET',
    dataType : 'text',
    success : function(res, status){
        console.log('status : ' + status);
        console.log(res);
    },
    error : function(res, status, error){
        console.log('status : ' + status);
        console.log(res);
        console.log(error);
    }
});

In Chrome I get a 307 response then a 200 with the desired data. In Firefox I get a only a 200 response but with the error message something like "Access-Control-Allow-Origin header missing, Same Origin Policy does not allow to fetch this resource".

Answer 1

The problem is that docs.google.com does not set CORS headers on redirects. And Chrome is not following the specification by not enforcing that and therefore has a security bug of sorts.

Answer 2

docs.google.com is in Chrome's HSTS preload list. The request to http://docs.google.com is transparently rewritten to https://docs.google.com, so no redirect happens.

I assume this will resolve itself if Firefox pulls an updated copy of the HSTS preload list. As Anne notes, simply changing the link to https directly will solve your use case.