Strange issue with CORS preflight request fails on IE 11 - javascript

The problem, is that the the POST query fails on IE11, in all the other browsers it's seems working.
Lets describe the problem step by step:
XHR request from application to REST API.
Preflight OPTIONS request (request parameters are following)
Accept: */*
Origin: https://app.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers content-type, accept
:
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Host: api.example.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
preflight request response parameters are:
X-Powered-By: Sugar
Access-Control-Allow-Origin: https://app.example.com
Vary: Origin
Access-Control-Allow-Credentia true
ls:
Access-Control-Allow-Methods: GET,POST,DELETE,OPTIONS
Access-Control-Allow-Headers: X-Requested-With,X-HTTP-Method-Override,Content-Type,Accept
set-cookie: sugar.sid=s%Pb9OoTTPUkVw%2F2vUPoFMNG
LMXACSkQevo; Path=/; Expires=Thu, 15 Jan 2015 18:27:07 GMT; HttpOnly; Secure
Date: Mon, 12 Jan 2015 18:27:07 GMT
Connection: close
The real HTTP request after preflight request parameters:
Accept: application/json
Content-Type: application/json
Referer: https://app.example.com/
Accept-Language: en-US
Origin: https://app.example.com
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Host: api.example.com
Content-Length: 9
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: sugar.sid=s%3A-%2FGF1YoFmRfmBsxK4vLBoGjY5NT0QoYvf5s;
Last response parameters:
Content-Type: application/json; charset=utf-8
Content-Length: 72
Vary: Accept-Encoding
Date: Mon, 12 Jan 2015 18:27:07 GMT
Connection: close
Basically the response end with the IE error: Origin: https://app.example.com not found in Access-Control-Allow-Origin header. Does the first request needs also the Access-**-Origin header, which seems to be missing.
Also followed the CORS flow chart for debugging problem, but I could not spot it http://www.html5rocks.com/static/images/cors_server_flowchart.png.
I am using Node.js Express server with the node-cors module + modified options.

I was using Fiddler to debug this issue on my site and got this message:
HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Date: Mon, 12 Sep 2016 19:40:20 GMT
Content-Length: 103
{"Message":"The collection of headers 'accept,if-modified-since,cache-control,pragma' is not allowed."}
CORS the collection of headers accept,if-modified-since,cache-control,pragma
So I just added to my web.api the list of missing headers to CORS.
I hope this helps to someone.

Related

Survey JS long loading times status code 302

I am trying to load survey.jquery.min.js and it is taking a long time. Is this something that I am doing wrong when calling it or is it a survey js issue?
Called before </body>
<script type="text/javascript" src="https://unpkg.com/survey-jquery/survey.jquery.min.js"></script>
Http header com/survey-jquery/survey.jquery.min.js
Request Method: GET
Status Code: 302
Remote Address: [2606:4700::6810:7aaf]:443
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-origin: *
cache-control: public, s-maxage=600, max-age=60
cf-cache-status: EXPIRED
cf-ray: 79a7e93c7ac371cf-LHR
content-type: text/plain; charset=utf-8
date: Thu, 16 Feb 2023 17:13:18 GMT
fly-request-id: 01GSDKE0EQKG6989ZPSPDXG931-lhr
location: /survey-jquery#1.9.74/survey.jquery.min.js
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept, Accept-Encoding
via: 1.1 fly.io
x-content-type-options: nosniff
:authority: unpkg.com
:method: GET
:path: /survey-jquery/survey.jquery.min.js
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0
I have tried to load the page on different devices and network to rule them out as possible issues.

why my chrome does not cache my JavaScript files?

Our one page met some performance issue, during the triage,I found our js files are not cached while other resource like img/css are retrieved from cache(in F12 Network tab, in size column, it shows "from memory cache").
And in Firefox js files are retrieved from cache,this issue only occurred in chrome.
Did someone know the reason?Thanks a lot!
I take a js file request/response for example:
Request Header:
GET /emsaasui/emcpdfui/libs/1.13.0-161128.193454/js/oraclejet/js/libs/require/require.js HTTP/1.1
Host: slc10uan.us.oracle.com:4443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: /
DNT: 1
Referer: https://slc10uan.us.oracle.com:4443/emsaasui/emcpdfui/builder.html?dashboardId=15
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Response Header:
HTTP/1.1 200 OK
Date: Tue, 29 Nov 2016 07:59:08 GMT
X-Frame-Options: SAMEORIGIN
Accept-Ranges: bytes
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Tue, 29 Nov 2016 03:38:36 GMT
X-ORACLE-DMS-ECID: 005GajqWd^qDWb85Rjs1yd0006^80000hX
APIGW: true
Set-Cookie: JSESSIONID=DB-vGDHUkRhI0s2oGq-KN_oGs7ToT7oRrZYsz6eXHsMGBgZCxKQv!1414641782; path=/apigw/resources; HttpOnly
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=2592000
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Language: en

HTTP header ETag not sent back to server

I'm providing an ETag in the Response Header from the server to the browser when supplying a javascript file generated programatically.
On subsequent requests for that same javascript file the ETag does not get supplied back in Request Header by the browser.
I've tried this in both Chrome and IE, same results find below the request and response headers from original request and subsequent one.
Original Request Header
GET /v11/RUNTIME_SUPPORT.GetGlobalFormResources.aspx HTTP/1.1
Host: 101.152.80.163
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.66 Safari/537.36
Referer: http://101.152.80.163/v11/Web_Support.Html.aspx
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ro;q=0.6,es;q=0.4
Cookie: StaraspxOpenTabsCount=0; ASP.NET_SessionId=jpdkfccaf0zttoxyvys53ac3; STARaspx_SessionId=1006606D-F415-4AE5-AA4C-847625EB2BAE
If-None-Match: 0.0.459
Original Response Header
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/javascript; charset=utf-8
Content-Encoding: gzip
ETag: 0.0.459,0.0.0,0.00
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
ItemType: FORMS
Digest: e0d3a2bdee4c0a48bc4f61bb744755c21c1d6c19
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Headers: callfrom, content-type, runtimecalltype
Access-Control-Allow-Credentials: true
Date: Tue, 12 Apr 2016 11:46:06 GMT
Content-Length: 31763
Subsequent Request Header
GET /v11/RUNTIME_SUPPORT.GetGlobalFormResources.aspx HTTP/1.1
Host: 101.152.80.163
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.66 Safari/537.36
Referer: http://101.152.80.163/v11/Web_Support.Html.aspx
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ro;q=0.6,es;q=0.4
Cookie: StaraspxOpenTabsCount=0; ASP.NET_SessionId=jpdkfccaf0zttoxyvys53ac3; STARaspx_SessionId=1006606D-F415-4AE5-AA4C-847625EB2BAE
If-None-Match: 0.0.459
Subsequent Response Header
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/javascript; charset=utf-8
Content-Encoding: gzip
ETag: 0.0.459,0.0.0,0.00
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
ItemType: FORMS
Digest: e0d3a2bdee4c0a48bc4f61bb744755c21c1d6c19
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Headers: callfrom, content-type, runtimecalltype
Access-Control-Allow-Credentials: true
Date: Tue, 12 Apr 2016 11:46:48 GMT
Content-Length: 31763
I've identified the root causes for ETags not working in my scenario:
I should have looked at the If-None-Match request header field rather than expecting an ETag field be provided to the server (more details here Header Field Definitions)
I should have not used commas in my ETag respose header field value, only the sub-string before the first comma gets sent back in request header field If-None-Match. In my case the ETag value in respose header was 0.0.459,0.0.0,0.00 and the subsequent request had 0.0.459 in the If-None-Match header field.
Response header from server now: HTTP/1.1 304 Not Modified :)

Chrome for IOS CORS

I'm experiencing an odd issue. I have a well (as I thought) setup CORS on my server, but it works just once after page refresh. All other requests become skipped or dropped. The XHR has status 0 and there's no response text (i know it's silly to expect any text for HTTP 204) or statusText, but readyState is 4.
Request OPTIONS headers:
OPTIONS http://domain2.xx HTTP/1.1
Host: domain2.xx
Proxy-Connection: keep-alive
Access-Control-Request-Headers: origin, content-type
Access-Control-Request-Method: POST
Origin: http://domain1.xx
Accept: */*,image/webp
Referer: http://domain1.xx/index.html
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/47.0.2526.107 Mobile/13C75 Safari/601.1.46
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4</i>
Response OPTIONS headers are:
HTTP/1.1 204 No Content
Server: nginx
Date: Sat, 19 Dec 2015 14:56:10 GMT
Content-Type: text/plain
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin,Cache-Control,Content-Type,Cookie,X-Requested-With,Accept,Authorization,Accept-Language,Content-Language,Last-Event-ID,X-HTTP-Method-Override
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: http://domain1.xx
Access-Control-Expose-Headers: Access-Control-Allow-Origin
Access-Control-Max-Age: 0
Cache-Control: max-age=0
Set-Cookie: ******; Expires=Thu, 31 Dec 2037 23:55:55 GMT; Max-Age=315576000; Path=/; HttpOnly
Connection: keep-alive
This happens only in Chrome on iOs. All other browsers behave good. (Under all I mean IE8+, Chrome(Win7+,MacOs,Linux,Android), FF(Win7+,MacOsX,Linux,Android), Safari (MacOsX, iOs), Opera (Win7+,Linux,Android,iOs), Coast iOs, UC Browser ( android, iOs ) and may be I could forget some where this works ok).
Thanks

Response header disappears with Angular

I'm trying to get Chrome Logger working in an Angular app running against a PHP backend, but for some reason the X-ChromeLogger-Data header doesn't seem to be coming through when the API is accessed by the Angular app.
If I open the API's access point directly or hit it with a jQuery.get() request everything works fine, even if I make the ajax request from another domain. The API also works correctly otherwise, even when used by the Angular app. It's just that one header disappears somewhere along the way. It doesn't even appear in Chrome's console.
What could cause a header to disappear?
Here's a request made with jQuery.get()
Request:
GET /?action=load HTTP/1.1
Host: -
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
Origin: -
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Referer: -
Accept-Encoding: gzip, deflate, sdch
Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.6,en;q=0.4,sv;q=0.2
Response:
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 10:41:22 GMT
Server: Apache/2.4.12 (Ubuntu)
X-Powered-By: PHP/5.6.11-1ubuntu3.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, X-ChromeLogger-Data
X-ChromeLogger-Data: eyJ2ZXJzaW9uIjoiNC4wIiwiY29sdW1ucyI6WyJsYWJlbCIsImxvZyIsImJhY2t0cmFjZSIsInR5cGUiXSwicm93cyI6W1siQVBJIiwiQVBJIHJlYWNoZWQiLCJ1bmtub3duIiwid2FybiJdXSwicmVxdWVzdF91cmkiOiJcLz9hY3Rpb249bG9hZCJ9
Content-Length: 15
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
And here's one from the Angular app:
Request:
GET /?action=load HTTP/1.1
Host: -
Connection: keep-alive
Accept: application/json, text/plain, */*
Origin: -
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0; en-us; GT-I9300 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Referer: -
Accept-Encoding: gzip, deflate, sdch
Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.6,en;q=0.4,sv;q=0.2
Response:
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 10:34:33 GMT
Server: Apache/2.4.12 (Ubuntu)
X-Powered-By: PHP/5.6.11-1ubuntu3.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, X-ChromeLogger-Data
Content-Length: 15
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
The Angular code used to make the above request:
$http.get( endpoint, { params : { action : 'load' } } ).then(
function( response ) {
console.log( response );
},
function() {
console.log( 'fail' );
}
);
After Dvir's tip to further inspect the differences between the requests (with the aid of Fiddler) I finally manager to solve the problem. I was running the Angular app with Chrome's mobile device simulator turned on, and it turns out the Monolog ChromePHPHandler requires for the text "Chrome" to be present in the User-Agent header, which it wasn't when the simulator was turned on.

Categories