Browser-laptop: CORS Redirects to same domain are blocked
Troubleshooting checklist
There's a good chance the bug you're about to report is fixed in the new version of Brave
- Download latest version of Brave from https://brave.com/download/
- Import your data by navigating to brave://settings/importData
If you'd like to continue for this old version, please check the applicable items:
- [X] Yes I did try the new version
- [X] I believe this issue is critical for users (security issue, bug that prevents folks from using the software)
- [X] I've read the
FAQs and Common Issuessection on community.brave.com (https://community.brave.com/c/common-issues)
Description
When attempting to make a CORS request from javascript, 307 redirect responses to the same domain are blocked. The error which appears is Access to fetch at 'https://cognito-idp.us-west-2.amazonaws.com/' from origin 'https://dashboard.nodesmith.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
In this example we are receiving a redirect (307) response, the redirect domain is exactly the same as the original, so the redirect should be allowed.
Here's what the request looks like
General
Request URL: https://cognito-idp.us-west-2.amazonaws.com/
Request Method: OPTIONS
Status Code: 307 Internal Redirect
Referrer Policy: no-referrer-when-downgrade
Response Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://dashboard.nodesmith.io
Location: https://cognito-idp.us-west-2.amazonaws.com/
Non-Authoritative-Reason: Delegate
Request Headers
Provisional headers are shown
Access-Control-Request-Headers: content-type,x-amz-target,x-amz-user-agent
Access-Control-Request-Method: POST
Origin: https://dashboard.nodesmith.io
Referer: https://dashboard.nodesmith.io/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
I don't see the same issues in Chrome or Firefox. Additionally, if I enable 3rd party cookies for the page, the request will go through (I'm not quite sure how the 3rd party cookies are related to all this).
Steps to Reproduce
Edit: These steps no longer reproduce the issue because we switched out authentication system to get around this bug. There are plenty of other examples of the bug in the issue though.
- Go to https://dashboard.nodesmith.io/#/logIn
- Enter
[email protected]for username andABC123!@#for a password - Hit Log In
EXPECTED: Requests hit the IDP servers and notify that the password is invalid
ACTUAL: CORS error on the 307 response
What version of Brave are you using?
0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)
sdesmond46
All 10 comments
I am seeing this issue as well and can confirm it does not happen on Chrome/Firefox browsers (desktop). According to this thread the standard was updated to allow redirects.
pooleja
on 3 Dec 2018
Running into the same issue:
Access to fetch at 'https://api.spotify.com/v1/me/notifications/user?connection_id=xxxxxxx' from origin 'https://sdk.scdn.co' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
illestrater
on 4 Dec 2018
I see the same issue when attempting to login to https://topcoder.com. This does not happen on Chrome, Firefox, or Safari.
Access to fetch at 'https://topcoder.auth0.com/oauth/ro' from origin 'https://accounts.topcoder.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
jmgasper
on 5 Dec 2018
Seeing this too on my dev site. CORS has been set correctly and works fine on all other browsers.
Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)
superandrew213
on 8 Dec 2018
+1 !
I have the exact same problem with a 307 Internal redirect on an OPTIONS call to my API.
It appeared this morning after updating to :
Version 0.57.18 Chromium: 71.0.3578.80 (Build officiel) (64 bits)
Works fine on Chrome 71
Version 71.0.3578.80 (Build officiel) (64 bits)
jamendub
on 10 Dec 2018
Seeing this issue as well, this site: http://www.humanaut.is/ works on Safari, Chrome and Firefox. But breaks entirely due to CORS error as seen in the console.
GuillermoCasanova
on 12 Dec 2018
It is also happening to me! I updated today and I get 307 redirect in calls to my API, and Chrome works fine.
Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)
djuretic
on 12 Dec 2018
Same thing here, worked just fine yesterday.
lstrzebinczyk
on 12 Dec 2018
Recently receiving this too [1]. This is bad, since all aws api gateway cors integrations work by redirecting the options request to itself. Works in other browsers.
[1] Version 0.57.8 Chromium: 71.0.3578.53 (Official Build) beta (64-bit)
johnspurlock
on 13 Dec 2018
Hey there folks! This is actually the repository for the older Muon based version of Brave
There is an issue tracking this though- please check out https://github.com/brave/brave-browser/issues/2252 and subscribe for updates 馃槃
bsclifton
on 13 Dec 2018
Related issues
luixxiul
路
3Comments
antiroyalty
路
3Comments
jonathansampson
路
3Comments
luixxiul
路
3Comments
jonathansampson
路
3Comments
Most helpful comment
I am seeing this issue as well and can confirm it does not happen on Chrome/Firefox browsers (desktop). According to this thread the standard was updated to allow redirects.
https://stackoverflow.com/questions/34949492/cors-request-with-preflight-and-redirect-disallowed-workarounds