Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blocked by CORS policy #13324

Closed
EndenDragon opened this issue Apr 15, 2019 · 31 comments

Comments

@EndenDragon
Copy link
Contributor

commented Apr 15, 2019

I am having issues with loading various scripts from https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html due to CORS issue.
image

When calling it from Postman, the Access Control header is missing:
image

This is the script tags used on that page

<script src="https://cdnjs.cloudflare.com/ajax/libs/soundmanager2/2.97a.20150601/script/soundmanager2-nodebug-jsmin.js" integrity="sha256-5KBL+8gS3BkWOs22YOrezN3Djl4pwodgZaPQY9hgu4Y=" crossorigin="anonymous"></script> 
<script src="https://cdnjs.cloudflare.com/ajax/libs/jrumble/1.3.0/jquery.jrumble.min.js" integrity="sha256-z+oTdmuaIQMdK+E1CPBwewoqdUE7sfBryQ4/PXYsSlE=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.transit/0.9.12/jquery.transit.min.js" integrity="sha256-rqEXy4JTnKZom8mLVQpvni3QHbynfjPmPxQVsPZgmJY=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/UAParser.js/0.7.19/ua-parser.min.js" integrity="sha256-WfUykOyzFASY5s5n4T1ENGfSfN0YGcvEJ75f1Zv3S0E=" crossorigin="anonymous"></script>
@command-tab

This comment has been minimized.

Copy link

commented Apr 15, 2019

I'm seeing this as well:

Access to CSS stylesheet at 'https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css' from origin 'https://redactedappname.redactedcompany.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

@eggonabull

This comment has been minimized.

Copy link

commented Apr 15, 2019

I am seeing this as well. We have a demo soon. If this cannot be fixed in less than a half our I may move off CDNJS permanently.

I am seeing this for:

<script src="https://cdnjs.cloudflare.com/ajax/libs/react/16.0.0/umd/react.production.min.js" integrity="sha256-3lmw1FBKoDUME3df7Jt4hZ8+2oPeoh1g3e2Yu3hm1Uo=" crossorigin="anonymous"></script>

Interestingly, when I load the URL directly, it does have a CORS header.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

Hi there,

Thank you for reporting this. We are currently working with Cloudflare, who recently deployed changes, to resolve this issue asap and to restore CDN service.

I will pass this thread onto the team at Cloudflare so that they can diagnose and resolve the issue asap.

If you encounter this issue: Please post full request & response headers, along with the failed resource URL. This allows us to more easily locate the source of the issue.

Thank you.
You can follow incident updates on our status page: https://status.cdnjs.com/incidents/9100rwz33n1h

@dknecht

This comment has been minimized.

Copy link

commented Apr 15, 2019

A fix has been released. If there are specific JS that you need to be purged please post.

@cdnjs cdnjs deleted a comment from dknecht Apr 15, 2019

@seanmcdougall

This comment has been minimized.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

@yevhen-hryhorevskyi

This comment has been minimized.

Copy link

commented Apr 15, 2019

The same issue is still randomly happening for the:
https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/7.0.0/polyfill.min.js

@freddyheppell

This comment has been minimized.

Copy link

commented Apr 15, 2019

Occuring with
https://cdnjs.cloudflare.com/ajax/libs/vue/1.0.27/vue.min.js

Request:

Host: cdnjs.cloudflare.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: en-GB,en-US;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://freddyheppell.com/2018/08/06/understanding-rsa
Origin: https://freddyheppell.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Response:

HTTP/2.0 200 OK
date: Mon, 15 Apr 2019 20:34:38 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 17 May 2018 09:26:44 GMT
etag: W/"5afd4ad4-12f78"
expires: Sat, 04 Apr 2020 20:34:38 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
x-content-type-options: nosniff
served-in-seconds: 0.003
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c80b3916a46ce3d-LHR
content-encoding: br
X-Firefox-Spdy: h2
@EndenDragon

This comment has been minimized.

Copy link
Contributor Author

commented Apr 15, 2019

Occurred with these two resources from this url https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html:

https://cdnjs.cloudflare.com/ajax/libs/UAParser.js/0.7.19/ua-parser.min.js
Request:

Origin: https://courses.cs.washington.edu
Referer: https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Response:

Date →Mon, 15 Apr 2019 20:44:41 GMT
Content-Type →application/javascript; charset=utf-8
Transfer-Encoding →chunked
Connection →keep-alive
Last-Modified →Thu, 25 Oct 2018 19:15:51 GMT
ETag →W/"5bd21667-377b"
Expires →Sat, 04 Apr 2020 20:44:41 GMT
Cache-Control →public, max-age=30672000
Vary →Accept-Encoding
Timing-Allow-Origin →*
x-content-type-options →nosniff
Content-Encoding →gzip
Served-In-Seconds →0.000
CF-Cache-Status →HIT
Strict-Transport-Security →max-age=15780000; includeSubDomains
Expect-CT →max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server →cloudflare
CF-RAY →4c80c2473c412a19-SEA

https://cdnjs.cloudflare.com/ajax/libs/jquery.transit/0.9.12/jquery.transit.min.js
Request:

Origin: https://courses.cs.washington.edu
Referer: https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Response:

HTTP/2.0 200 OK
Date →Mon, 15 Apr 2019 20:42:39 GMT
Content-Type →application/javascript; charset=utf-8
Transfer-Encoding →chunked
Connection →keep-alive
Last-Modified →Thu, 17 May 2018 09:20:15 GMT
ETag →W/"5afd494f-1d34"
Expires →Sat, 04 Apr 2020 20:42:39 GMT
Cache-Control →public, max-age=30672000
Vary →Accept-Encoding
Timing-Allow-Origin →*
x-content-type-options →nosniff
Content-Encoding →gzip
Served-In-Seconds →0.001
CF-Cache-Status →HIT
Strict-Transport-Security →max-age=15780000; includeSubDomains
Expect-CT →max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server →cloudflare
CF-RAY →4c80bf4d8e9b2a19-SEA
@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

@eggonabull @yevhen-hryhorevskyi @freddyheppell @EndenDragon @xoqem The latest from Cloudflare is that those resources should now be fixed. Please try clearing your local cache and seeing if that is the case.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

@chriskuehl I will pass this onto the team at Cloudflare to double check.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

cc @PeterDaveHello just so you are aware.

@xoqem

This comment has been minimized.

Copy link

commented Apr 15, 2019

The latest from Cloudflare is that those resources should now be fixed. Please try clearing your local cache and seeing if that is the case.

Sadly clearing the cache doesn't seem to solve the issue. I tried both disabling the cache via dev tools and opening a new incognito session just in case. I have a local workaround, so I'm not super blocked, but just a heads up.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

@xoqem Ah, that's not great. Have passed the feedback onto Cf.

@dknecht

This comment has been minimized.

Copy link

commented Apr 15, 2019

@xoqem Can you paste a url and headers?

@chriskuehl

This comment has been minimized.

Copy link

commented Apr 15, 2019

I can reproduce this with curl from a couple boxes (original request came from Copy as > Curl from Chrome):

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Referer: https://www.stageg.yelp.com/' -H 'Origin: https://www.stageg.yelp.com' --compressed -D- -so /dev/null
HTTP/2 200
date: Mon, 15 Apr 2019 21:16:08 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 24 May 2018 01:00:47 GMT
etag: W/"5b060ebf-1c31"
expires: Sat, 04 Apr 2020 21:16:08 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
x-content-type-options: nosniff
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c80f05aecea514c-SJC

If I make the same request with a slightly different Origin request header (I just appended a z), it works:

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Referer: https://www.stageg.yelp.com/' -H 'Origin: https://www.stageg.yelp.comz' --compressed -D- -so /dev/null
HTTP/2 200
date: Mon, 15 Apr 2019 21:16:33 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 24 May 2018 01:00:49 GMT
etag: W/"5b060ec1-1c31"
expires: Sat, 04 Apr 2020 21:16:33 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
access-control-allow-origin: *
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c80f0f76fdb95f5-SJC

This second response has access-control-allow-origin: * as expected, whereas the first doesn't.
Some weird caching thing given that changing the Origin request header fixes it?

I tried the same curl command (the first curl above) on three different networks; it reproduced on two of the three. Not sure if it's relevant, but the two it reproduces from are hitting SJC cloudflare (based on that cf-ray response header), the third it doesn't reproduce from appears to be hitting LAX.

Edit: Also seeing the same thing for https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

@dknecht

This comment has been minimized.

Copy link

commented Apr 15, 2019

Thanks that is helpful.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

@chriskuehl Looks to be a cached issue now, which I guess is good as it means only these few resources are affected. @dknecht and the Cloudflare team should be able to resolve this shortly :)

@yevhen-hryhorevskyi

This comment has been minimized.

Copy link

commented Apr 15, 2019

@MattIPv4 It seems that the issue is gone for us. At least I was not able to reproduce it with several attempts.

@dknecht

This comment has been minimized.

Copy link

commented Apr 15, 2019

@chriskuehl @xoqem Is it working now for you?

@EndenDragon

This comment has been minimized.

Copy link
Contributor Author

commented Apr 15, 2019

@dknecht I'm having issues with this aswell
#13324 and more info at #13324 (comment)

@chriskuehl

This comment has been minimized.

Copy link

commented Apr 15, 2019

@dknecht unfortunately I'm still seeing no header with this curl command:

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Referer: https://www.stageg.yelp.com/' -H 'Origin: https://www.stageg.yelp.com' --compressed -D- -so /dev/null
HTTP/2 200
date: Mon, 15 Apr 2019 21:50:58 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 24 May 2018 01:00:47 GMT
etag: W/"5b060ebf-1c31"
expires: Sat, 04 Apr 2020 21:50:58 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
x-content-type-options: nosniff
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c81235fa805517c-SJC

I tested this on three different networks all near San Francisco (one corporate Level3, one residential WebPass, one Linode datacenter) and all three don't see the header. A fourth network I tested on (hitting LAX) does see the header.

@xoqem

This comment has been minimized.

Copy link

commented Apr 15, 2019

@dknecht still seeing errors on my end as well

@command-tab

This comment has been minimized.

Copy link

commented Apr 15, 2019

Could https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css be purged? I have a number of apps which use that library, and I can't be sure which users are stuck receiving the cached version with the absent Access-Control-Allow-Origin: * header.

I'm seeing the same behavior @chriskuehl mentioned: If I make a request and provide one of the affected apps' URLs in the Origin header, I get the cached response containing no Access-Control-Allow-Origin: * header. If I modify the Origin value in any way, the new response does contain Access-Control-Allow-Origin: *. Here's an HTTPie example where the first request receives the old cached response, and the second receives the correct response:

$ http -ph https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css 'Origin:https://vto.os.pixar.com'
HTTP/1.1 200 OK
CF-Cache-Status: HIT
CF-RAY: 4c8126335ee07924-LAX
Cache-Control: public, max-age=30672000
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/css
Date: Mon, 15 Apr 2019 21:52:54 GMT
ETag: W/"5afd4939-7918"
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sat, 04 Apr 2020 21:52:54 GMT
Last-Modified: Thu, 17 May 2018 09:19:53 GMT
Served-In-Seconds: 0.001
Server: cloudflare
Strict-Transport-Security: max-age=15780000; includeSubDomains
Timing-Allow-Origin: *
Transfer-Encoding: chunked
Vary: Accept-Encoding
x-content-type-options: nosniff

$ http -ph https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css 'Origin:https://vto-stage.os.pixar.com'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
CF-Cache-Status: MISS
CF-RAY: 4c812dfc4b1e791e-LAX
Cache-Control: public, max-age=30672000
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/css
Date: Mon, 15 Apr 2019 21:58:13 GMT
ETag: W/"5afd4910-7918"
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sat, 04 Apr 2020 21:58:13 GMT
Last-Modified: Thu, 17 May 2018 09:19:12 GMT
Served-In-Seconds: 0.001
Server: cloudflare
Strict-Transport-Security: max-age=15780000; includeSubDomains
Timing-Allow-Origin: *
Transfer-Encoding: chunked
Vary: Accept-Encoding

Thank you ❤️

@dknecht

This comment has been minimized.

Copy link

commented Apr 15, 2019

We have remove "Origin" from the Cache Key. This should improve performance and clear the caches. Sorry for the inconvenience we have caused everyone. We are reviewing the process to ensure this can't happen again.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

@dknecht Thank you for the incredible work to resolve this! ❤️

@chriskuehl

This comment has been minimized.

Copy link

commented Apr 15, 2019

Confirmed it is fixed for us, thanks!

@EndenDragon

This comment has been minimized.

Copy link
Contributor Author

commented Apr 16, 2019

Yup fixed on my end too! Thanks for your help!!

@MattIPv4 MattIPv4 unpinned this issue Apr 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.