Ktor: [ktor-client-js] Ktor's User-Agent breaks CORS policy in a browser
ktor-client-core-js 1.3.0-rc
I'm using ktor client in a browser to network requests (obviously), but something recently changed and now ktor provides default user-agent in case the developer himself didn't. That ruins in browser. User-Agent header marks request as non-simple and browser performs cors-preflight request first, then rejects original request because User-Agent not allowed header for that server (and particularly any other server).
The worst moment I can not override that behavior and delete User-Agent header from request as this check performs on later stage inside of engine, so no any workarounds for me :(.
Prototik
All 5 comments
The page you are referring to, clearly states that User-Agent is allowed and shouldn't trigger preflight. On the other side, the specification doesn't say that. It is not the first time when I see MDN is not precisely correct.
cy6erGn0m
on 27 Dec 2019
the only headers which are allowed to be manually set are those which the Fetch spec defines as a “CORS-safelisted request-header”, which are:
Accept
Accept-Language
Content-Language
Content-Type (but note the additional requirements below)
DPR
Downlink
Save-Data
Viewport-Width
Width
There is no User-Agent in the list. Any other header will trigger preflight too.
Prototik
on 27 Dec 2019
Just tested it in chromium - it allows User-Agent in that case. Firefox-only issue?
Doesn't seems privacy settings affects something - even with fully disabled protection Firefox still blocking user-agent.
Prototik
on 29 Dec 2019
Derp, chromium just ignores ktor's user-agent and sends their own in place. Seems ktor's user-agent completely useless in a browser.
Prototik
on 29 Dec 2019
Fix in master
e5l
on 28 Jan 2020
Related issues
r4zzz4k
·
4Comments
KennethanCeyer
·
4Comments
Ribesg
·
3Comments
evgfilim1
·
4Comments
shinriyo
·
4Comments