Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safari Access-Control-Request-Headers: Origin issue [explained] #116

Open
squadette opened this issue Apr 30, 2016 · 6 comments
Open

Safari Access-Control-Request-Headers: Origin issue [explained] #116

squadette opened this issue Apr 30, 2016 · 6 comments

Comments

@squadette
Copy link

squadette commented Apr 30, 2016
edited

When you send CORS request with some header like X-API-Token, Safari 6 and 7 send

Access-Control-Request-Headers: Origin, X-API-Token

with the request. If you have explicit list of headers in your Rack::Cors configuration, you probably don't have Origin header in this list. Well, you should, otherwise it does not work.

Chrome and Firefox do not have this issue, they correctly send Access-Control-Request-Headers: X-API-Token. Also, Safari makes it harder to debug, because CORS-failed requests are not in "Timelines" window (they are in "Resources" window).

I understand that most people probably just use headers: :any and do not bother. We need to a) either explicitly mention this in documentation; b) always allow "Origin" in this list.

WDYT?
joshwlewis added a commit to joshwlewis/pliny that referenced this issue May 3, 2016
@joshwlewis
Adds 'Origin' header for Safari support.
9e8c5b3 
See cyu/rack-cors#116 for details.
joshwlewis added a commit to joshwlewis/pliny that referenced this issue May 3, 2016
@joshwlewis
Support 'Origin' CORS for Safari
05acf3a 
Some Safari versions will reject CORS responses without this.
Additional details: cyu/rack-cors#116
@joshwlewis joshwlewis mentioned this issue May 3, 2016
Merged
@HoracioChavez HoracioChavez mentioned this issue Jun 2, 2016
Closed
@HoracioChavez
Copy link

HoracioChavez commented Jun 2, 2016
edited

Hi @squadette, is this what you meant by allow origin?

config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
  allow do
    origins ""
    resource "", :headers => [:any, :origin], :methods => [:get, :post, :options]
  end
end

I tried that way, bit it didn't work for me. This is my whole implementation: #33 (comment)

@squadette
Copy link
Author

@HoracioChavez, well, if you use :any then you probably don't need anything else (but I don't know, looks like people in other tickets still complain). I don't know because I have explicit list of headers in my app, and it (now) includes "Origin".

The pull-request above probably fixes that.

@coneybeare
Copy link

I am still seeing problems in Safari, after trying dozens of the tips and tricks mentioned in the issues here. I have a Stack Overflow question opened on my specific problem here

@cyu
Copy link
Owner

cyu commented Feb 4, 2017

@coneybeare Your issue is an issue with cross origin frames:

http://stackoverflow.com/questions/25098021/securityerror-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame

@sudoaza
Copy link

sudoaza commented Nov 7, 2018

Any news about this? simpy :any doesnt seem to work still, maybe i'm needing the expose?

@Reeywhaar Reeywhaar mentioned this issue Dec 9, 2018
Closed
@sandstrom
Copy link

I'm doing some issue gardening 🌱🌿 🌷 and came upon this issue. Since it's quite old I just wanted to ask if this is still relevant? If it isn't, maybe we can close this issue?

By closing some old issues we reduce the list of open issues to a more manageable set.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cyu @squadette @coneybeare @sandstrom @sudoaza @HoracioChavez