CefSharp: JavaScript fetch() call doesn't make the pre-flight OPTIONS call - javascript

Using CefSharp version 71.
While making fetch() call from JavaScript, it should ideally make the pre-flight OPTIONS call before making the GET/POST call.
But it doesn't actually make it.
But if I try it in the Chrome browser, it does.
Tried this on Chrome browser, and it does make the pre-flight OPTIONS call.
The result of this is, since OPTIONS call is not made, CORB is stopping the response.
The error is:
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://some-api.com/blah with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.

It looks like WebSecurity is set to disabled in your BrowserSettings.
browserPlay.BrowserSettings = new BrowserSettings()
{
WebSecurity = CefState.Disabled
};
Steps to Reproduce:
Add the above code in the application
Make a cross origin GET Request, notice that the request is made without "Origin:" header and Response does not have CORS headers.
In console, you will see the following CORB error: Cross-Origin Read Blocking (CORB) blocked cross-origin response
I tested the above on CEF version 73.1.13

Related

Fetch throws "TypeError: Failed to fetch" for successful, same-origin request

We have been encountering inconsistent client errors with a single-page JavaScript application making fetch requests. Of note, they are all same-origin requests.
let request = new Request(url, options);
...
window.fetch(request)
.then(response => response.json())
.then(data => ...)
.catch(error => ...)
Around 5% of the promises are rejecting with the following error despite the server and the browser receiving a 200 OK response:
TypeError: Failed to fetch
I'm stumped... All of my searches lead to discussions about CORS errors. That doesn't seem to apply given these are all same-origin requests. What is causing the fetch to throw the TypeError?
I can confirm using the Network tab in Chrome DevTools that the fetch request completes with a 200 OK response and valid JSON. I can also confirm that the URLs are same-origin. I can also confirm that there are no CORS pre-flight requests. I have reproduced this issue on Chrome 66 and Safari 11.1. However, we've received a stream of error reports from a mix of Chrome and Safari versions, both desktop and mobile.
EDIT:
This does not appear to be a duplicate of the linked question as we are not sending CORS requests, not setting mode: "no-cors", and not setting the Access-Control-Allow-Origin header.
Additionally, I re-ran tests with the mode: 'same-origin' option set explicitly. The requests are (still) successful; however, we (still) receive the intermittent TypeError.
I know that this is an old issue, but after searching the entire evening I want to share my findings so you can spend your time better.
My web app also worked well for most users but from time to time visitors received the error mentioned in the question. I'm not using any complicated infrastructure (reverse proxy etc.) setup nor do I communicate with services on a different domain/protocol/port. I'm just sending a POST request to a PHP-File on the same server where the React app is served from.
The short answer: My problem was that I've sent the request to the backend by using an absolute URL, like https://my-fancy-domain.com/funky_service.php. After changing this to a relative path like /funky-service.php the issue was gone.
My explanation: Most users come to the site without www in the URL, but some users actually do type this part in their address bars (www.my-fancy...). It turned out that the www is part of the origin, so when these users submit the form and send post requests to https://my-fancy... it's technically another origin. This is why the browser expects CORS headers and sometimes even sends an OPTIONS preflight request. When you use a relative path in your JavaScript-Code the post request will also include the www-part (uses the origin from the address bar) -> same-origin -> no CORS hassle. As it only affects visitors that come with the www to your site it also explains the fact that it worked for most users even with the absolute URL.
Also important to know: The request fails in the browser/ JavaScript-Code but is actually sent to the backend (very ugly!).
Let me know if you need more information. Actually, it is very simple but hard to explain (and to find)
The issue could be with the response you are receiving from back-end. If it was working fine on the server then the problem could be with the response headers. Check the Access-Control-Allow-Origin (ACAO) in the response headers. Usually react's fetch API will throw fail to fetch even after receiving response when the response headers' ACAO and the origin of request won't match.
Ref: Getting "TypeError: failed to fetch" when the request hasn't actually failed

Getting JIRA filter results in AngularJS

I'm trying to follow AngularJS $http, CORS and http authentication to get filter results from JIRA and I can't make it work.
If I use the GET method, the console reports:
XMLHttpRequest cannot load
https://.../rest/api/2/search?jql=filter=28203.
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'null' is therefore not allowed access.
Even though I've set useXDomain.
If I use the JSONP method, my success callback never gets invoked. I've tried .success, .then, and JSON_CALLBACK and none work. While JSONP isn't suppose to work at all in modern JIRA, I can see a successful response with the expected data in Chrome's Developer Tools' network work tab but the console reports:
Refused to execute script from
'https://.../rest/api/2/search?jql=filter=28203' because its MIME type
('application/json') is not executable, and strict MIME type checking
is enabled.
My code -- based on that from the CORS question above -- is at https://plnkr.co/edit/IO4air3eN2vDoaOXJous?p=preview
What am I missing?

Cross Domain JSON - does it matter what server provides source? [duplicate]

This question already has answers here:
XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header
(11 answers)
Closed 3 years ago.
I've found simple tutorial how to make cross domain json call here
And it works perfectly fine, so i decided to use this example, just change url from:
var url = "http://api.myjson.com/bins/23xvb";
to
var url = "http://dl.sniper.pl/test.json"
Unfortunately changing it returns such an error (in chrome):
XMLHttpRequest cannot load http://dl.sniper.pl/test.json. Response to
preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'null' is therefore not allowed access.
Googling that error didnt provide any answers to find a solution so here's the question:
Why i get such an error and how to solve it?
The http://dl.sniper.pl/ server must be configured to send the Access-Control-Allow-Origin response header in responses to requests for http://dl.sniper.pl/test.json.
But because that server isn’t sending the Access-Control-Allow-Origin response header, your browser is refusing to allow your frontend JavaScript code to access that response.
So you either nust configure the http://dl.sniper.pl/ server to send Access-Control-Allow-Origin or else you can make the request through a CORS proxy.
There’s an open CORS proxy you can make you request through by changing your code to this:
var url = "https://cors-anywhere.herokuapp.com/http://dl.sniper.pl/test.json"
That sends the request through the open CORS proxy https://cors-anywhere.herokuapp.com which adds the Access-Control-Allow-Origin response header to it and then passes that back to your requesting frontend code as the response.
That response with the Access-Control-Allow-Origin response header is what the browser sees, so the browser allows your frontend JavaScript code to actually access the response.
You can also easily set up your own CORS proxy using https://github.com/Rob--W/cors-anywhere/
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS for an explanation of how browsers behave when you send cross-origin requests frontend JavaScript code using XHR or the Fetch API or AJAX methods from JavaScript libraries—and for details about what response headers must be received in order for browsers to allow frontend code to access the responses.
you should configure you server todo this in your htaccess
u need something like this
<RequireAll>
Require all granted
</RequireAll>

How To Call Medium RSS Feed

Medium has an RSS feed available at https://medium.com/feed/[#username]. I'm trying to fetch all my blog posts using an XMLHTTPRequest. When I test on local, I run into CORs errors. When I turn on CORs Chrome extension, I get a 401 error. Any ideas? Has anyone succeeded in calling Medium RSS?
To get https://medium.com/feed/[#username] content using XHR, you can make the XHR request through a proxy of some kind. For example, trying giving your current XHR code this URL:
https://cors-anywhere.herokuapp.com/https://medium.com/feed/#sideshowbarker
That’ll cause the request to go to https://cors-anywhere.herokuapp.com, a open/public CORS proxy which then sends the request on to https://medium.com/feed/#sideshowbarker.
And when that proxy gets the response, it takes it and adds the Access-Control-Allow-Origin response header to it and then passes that back to your requesting frontend code as the response.
That response with the Access-Control-Allow-Origin response header is what the browser sees, so the error message the browser is showing you now goes away, and the browser allows your frontend JavaScript code to access the response.
Or use the code from https://github.com/Rob--W/cors-anywhere/ or such to set up your own proxy.
The reason you need a proxy is, responses from https://medium.com/feed/[#username] don’t include the Access-Control-Allow-Origin response header, so your browser will refuse to let your frontend JavaScript code access those responses cross-origin.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS has more details.
This is a bug.
Bug has opened. (Dan Abramov approved)

AJAX POST request working in POSTMAN but not in Chrome

I am trying to make a simple AJAX POST request. This request when executed in POSTMAN works fine. However, when I code it in jQuery and try to make the same request, I get
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'file://' is therefore not allowed access. The response had HTTP status code 415.
Now, I have to make a POST request and hence using JSONP as type in the request won't help. I do not have access to server code to modify it. My basic understanding is that if POSTMAN can execute it, then i should be able to do it as well
the status code is self explanatory.
415 it's returned from the server when you sent an unsupported content type (e.g. an xml). double check the type of data you're passing to the post request in your code.
415 UNSUPPORTED MEDIA TYPE The origin server is refusing to service
the request because the payload is in a format not supported by this
method on the target resource.
The format problem might be due to the request's indicated
Content-Type or Content-Encoding, or as a result of inspecting the
data directly.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/415
I doesn't automatically work in the browser if it works in Postman. You can still get CORS-errors.
You might also check the content type, you are getting HTTP STATUS 415 which is UNSUPPORTED MEDIA TYPE
. This might be your problem, the media type differs in the request.
I also noticed you are serving from file://, maybe you should host it so you are serving your site from localhost instead.
Ok, so the issue is you are running your page from a file directly(May be just double clicking on the file in windows) rather using an server.
So first of all access the page via server, install any server like apache, and access the page via
http://localhost/pagename

Categories