Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS issue because of Brave Shields #2252

Closed
SilencerWeb opened this Issue Nov 27, 2018 · 29 comments

Comments

@SilencerWeb
Copy link

SilencerWeb commented Nov 27, 2018

Consolidated Test plan from all related issues

Test plan

  1. Open https://eslint-config-development.netlify.com.
  2. Console should not log any CORS erros

  1. Visit chart.js
  2. Ensure chats are not broken
  3. Console should not log any CORS erros

  1. Visit https://www.wikiloc.com/mountain-biking-trails/la-quinta-cove-226486
  2. Ensure maps shows correctly for both Satellite and Map
  3. Console should not log any CORS erros

  1. Open a new issue on Github with default shields settings
  2. Try to upload an image
  3. Should be able to upload image without any issues
  4. Console should not log any CORS erros

  1. Visit www.reddit.com
  2. Locate a posted video hosted by reddit (https://www.reddit.com/r/Seattle/comments/9uhb5h/snoqualmie_falls_with_foliage_thanks_wa/)
  3. Ensure video plays without any issue

  1. Visit https://d.tube and open any video
  2. Video should start streaming
  3. Console should not log any CORS erros

  1. Go to namecheap.com
  2. Search for a domain
  3. Search result should show up
  4. Console should not log any CORS erros

  1. Go to https://www.skill-capped.com/
  2. Login shuold be successful
  3. Console should not log any CORS erros

Original issue Description

I have a website deployed on netlify that makes requests to the server that deployed to heroku, they both are on different domains. I enabled CORS in my server setup but I keep getting error Access to fetch at 'https://eslint-config-api-server.herokuapp.com/' from origin 'https://eslint-config-development.netlify.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.. Works like that only in Brave.

Steps to Reproduce

  1. Open https://eslint-config-development.netlify.com.
  2. Open console.

Brave version (brave://version info)

0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)

Reproducible on current release:

  • Does it reproduce on brave-browser dev/beta builds? I don't know, I don't use such builds.

Website problems only:

  • Does the issue resolve itself when disabling Brave Shields? Yes.
  • Is the issue reproducible on the latest version of Chrome? No.
@charlescrtr

This comment has been minimized.

Copy link

charlescrtr commented Nov 28, 2018

Can confirm I'm seeing the same issue when trying to log in to https://prisma.io. Issue fixes itself when Shields are disabled.

Brave version
Version 0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)

@OrKoN

This comment has been minimized.

Copy link

OrKoN commented Nov 29, 2018

I experience the same problem when trying to perform a CORS request with Brave:

Brave | 0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)
-- | --
Revision | ca97ba107095b2a88cf04f9135463301e685cbb0-refs/branch-heads/3538@{#1094}

@bbondy bbondy added this to Untriaged / Incoming in Shields via automation Dec 2, 2018

@bbondy bbondy added this to the 1.x Backlog milestone Dec 2, 2018

@dwwoelfel

This comment has been minimized.

Copy link

dwwoelfel commented Dec 3, 2018

I think this is because Brave is stripping out the Origin header from the initial OPTIONS request.

@JFrankfurt

This comment has been minimized.

Copy link

JFrankfurt commented Dec 6, 2018

I am seeing this all over the place now that I am looking for it. (In fact, I'm seeing it on this github page right now.) It has caused me some problems with calls to non-origin servers in my own work and broken dApp usage with Brave.

@LukeDearden

This comment has been minimized.

Copy link

LukeDearden commented Dec 10, 2018

Azure Portal is unusable in Brave because of this even with Shields down

@SilencerWeb

This comment has been minimized.

Copy link
Author

SilencerWeb commented Dec 10, 2018

Some of the charts from chart.js brokes because of this:

image

image

Here is the link to this example - https://www.chartjs.org/samples/latest/charts/line/multi-axis.html

@bsclifton bsclifton referenced this issue Dec 13, 2018

Closed

CORS Redirects to same domain are blocked #15319

3 of 3 tasks complete
@bsclifton

This comment has been minimized.

Copy link
Member

bsclifton commented Dec 13, 2018

Several +1s from brave/browser-laptop#15319

@renschler

This comment has been minimized.

Copy link

renschler commented Dec 13, 2018

I also have this error but even with shields down.

I am collecting sensitive information within an iframe with a cross-domain src (do I have to manually whitelist the iframe domain from brave shield also?).

The iframe page makes a fetch call to POST the information. I'm noticing the CORS preflight OPTIONS request has the origin set to null as @dwwoelfel mentioned. Not sure if that's why its failing? Things work in Firefox & Chrome.

@bbondy bbondy added priority/P2 and removed priority/P4 labels Dec 13, 2018

@kxlt

This comment has been minimized.

Copy link

kxlt commented Dec 13, 2018

Same problem here. Gmail 2FA broken because of this.

On our website, https://www.wikiloc.com, we use Apple MapkitJS and all maps are broken as well.

More users reporting the same issue: https://community.brave.com/t/latest-update-broke-cors-for-my-webapp/39135

Breakage on The Guardian, Facebook and Instagram: https://community.brave.com/t/too-many-redirects-fb-ig-the-guardian/39543/2

@jamendub

This comment has been minimized.

Copy link

jamendub commented Dec 14, 2018

Got a similar problem that I described there : brave/browser-laptop#15319

@SilencerWeb

This comment has been minimized.

Copy link
Author

SilencerWeb commented Dec 16, 2018

Gosh, these shields block even request from Figma!

@jmadkins

This comment has been minimized.

Copy link

jmadkins commented Dec 17, 2018

The users profile image doesn't load with Shields Up on the Azure Portal. Shields Down allows the profile image and some panes to load. However, the majority of panes don't load regardless of Shield settings.

Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)

@iefremov iefremov self-assigned this Dec 17, 2018

@petethompson

This comment has been minimized.

Copy link

petethompson commented Dec 17, 2018

I'm experiencing the same cross-origin issue, with a javascript http request from one of my clients websites; requesting data from the service where they store their content. It seems like the Shield option for blocking cookies is responsible.

@iefremov

This comment has been minimized.

Copy link

iefremov commented Dec 18, 2018

This change seems to break all preflight CORS requests and hence all CORS requests that require preflight: https://github.com/brave/brave-core/pull/754/files

Since we always clean referrer for cross-origin requests, all these requests become redirects, and preflight redirects are not allowed by policy.

@bbondy @yrliou

@iefremov

This comment has been minimized.

Copy link

iefremov commented Dec 18, 2018

Also affects:
#2034
#1999
#1581

@tomlowenthal tomlowenthal moved this from Untriaged / Incoming to Design in Shields Dec 18, 2018

@tomlowenthal tomlowenthal moved this from Design to Front-end in Shields Dec 18, 2018

@tomlowenthal tomlowenthal moved this from Front-end to In progress in Shields Dec 18, 2018

@srirambv

This comment has been minimized.

Copy link
Collaborator

srirambv commented Dec 25, 2018

CORS Policy breaks image upload on vistaprint.com. The only way to upload image is to disable shields and use the site.

@srirambv

This comment has been minimized.

Copy link
Collaborator

srirambv commented Dec 27, 2018

@iefremov the following issues are all CORS related.

@Brave-Matt

This comment has been minimized.

Copy link
Collaborator

Brave-Matt commented Jan 3, 2019

I also get the same error on Amazon Prime video, but only in the Beta channel release (v0.59.14):
apvcors

@MisinformedDNA

This comment has been minimized.

Copy link

MisinformedDNA commented Jan 4, 2019

I'm seeing this on https://portal.azure.com as well. Original issue.

I'm on Brave v0.58.18

@cemerson

This comment has been minimized.

Copy link

cemerson commented Jan 8, 2019

Azure Portal is unusable in Brave because of this even with Shields down

Ditto. Here's screen of messages in console when trying to approve credit card on Azure Signup Portal.

@iefremov

This comment has been minimized.

Copy link

iefremov commented Jan 9, 2019

Closed all dupes I could find.
Not sure about #2580, cant test it quickly.
#2286 is not related to this issue.

@btlechowski

This comment has been minimized.

Copy link
Collaborator

btlechowski commented Jan 9, 2019

Verification passed on

Brave 0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Revision 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897}
OS Windows 7

Used test plan from OP.

Verified passed with

Brave 0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Revision 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897}
OS Mac OS X
  • Verified test plan from description

Verification PASSED on Mint 19.3 x64 VM using the following build:

Brave 0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Revision 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897}
OS Linux
@jamendub

This comment has been minimized.

Copy link

jamendub commented Jan 12, 2019

Updated to 0.58.21 on Mac OS and it now works perfectly !
I love u guys ;)
Keep the good work up !!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.