Firefox won't send Cross-Origin Resource Sharing Pre-flight? - ajax

I've implemented a web application that takes advantage of CORS to gather JSON data from another server. The servers run on different subdomains. Everything seems implemented correctly, and it works fine with Chromium. Below is a copy of my requests, from Chromium.
My problem is that in Firefox (tested with 13.0.1), no request is ever made for my AJAX resource. No preflight request is ever sent, and no actual request is made. Instead, I get this error, from the XMLHttpRequest.send() function:
[21:40:27.546] uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "http://192.168.1.99:2502/static/mootools-core-1.4.5.js Line: 5398"]
I am using Mootools' Request.JSON object, which sets various extra headers, meaning that a preflight would indeed be required. However, it is never sent.
Unfortunately, JSONP is not an option, as the data is sensitive.
Does anyone have insight into what the problem could be?
Thanks very much.
Working example, from Chromium:
Preflight request:
OPTIONS /api/resource HTTP/1.1
Host: dev0.mydomain.com
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://192.168.1.99:2502
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19
Access-Control-Request-Headers: origin, x-request, x-requested-with, accept
Accept: */*
Referer: http://192.168.1.99:2502/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [redacted]
Preflight response:
HTTP/1.0 200 OK
Server: PasteWSGIServer/0.5 Python/2.7.3
Date: Fri, 29 Jun 2012 01:43:37 GMT
Content-Length: 0
Access-Control-Allow-Headers: Cookie, Origin, X-Request, X-Requested-With, Accept
Access-Control-Max-Age: 1
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://192.168.1.99:2502
Access-Control-Allow-Methods: GET
Content-Type: text/html; charset=UTF-8
"Real" request:
GET /api/resource HTTP/1.1
Host: dev0.mydomain.com
Connection: keep-alive
Origin: http://192.168.1.99:2502
X-Request: JSON
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19
Accept: application/json
Referer: http://192.168.1.99:2502/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [redacted]
"Real" response:
HTTP/1.0 200 OK
Server: PasteWSGIServer/0.5 Python/2.7.3
Date: Fri, 29 Jun 2012 01:43:37 GMT
Access-Control-Allow-Origin: http://192.168.1.99:2502
Content-Type: text/html; charset=UTF-8
Content-Length: 22
Access-Control-Allow-Credentials: true

The answer is given in the comments to the question. Firefox was not sending the request due to the HTTP authentication username I had provided.

Related

Why Firefox auto gzip download file?

I am working on a web file share service, the service can decompress the .gz file content before transferring to client if user asks for it: Windows has not gzip build-in.
Following is an example: un-gzip and download long.txt.gz.
Capture from Fiddler
Request
GET https://szdc-data-explorer-test.spiral.exchange/v1/fs/file/tmp/long.txt.gz?pipelines=ungzip&file_name=long.txt&otk=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Host: szdc-data-explorer-test.spiral.exchange
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://next-test.spiral.exchange/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Response
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Disposition: attachment; filename="long.txt"
Content-Type: text/plain; charset=UTF-8
Date: Thu, 13 Jan 2022 00:44:14 GMT
Vary: Accept-Encoding
Vary: Origin
Content-Length: 293216
Firefox save the file with name long.txt as specified in Content-Disposition header, but the content is gzip-ed. It sounds like Firefox auto gzip due to request path ends with .gz: /v1/fs/file/tmp/long.txt.gz
Well, it is a known behavior of firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=610679

CORS header ‘Access-Control-Allow-Origin’ does not match in firefox, works in chrome

I'm making a simple cross-origin request request, which is blocked by firefox with reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘http://localhost:4200, *’).
The request headers are:
Host: localhost:8090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:4200/schedule
Origin: http://localhost:4200
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Response Headers:
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Wed, 11 Jul 2018 07:15:32 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 41359
Connection: keep-alive
Vary: Origin
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: *
As far as i can see, the origin and Access-Control-Allow-Origin match, but firefox seems to have a different opinion. The same setup works correctly with Chrome.
What am I missing here ?
Thanks,
Steven
The comment by #sideshowbaker put me on the right track: an add-on that i was using earlier for local testing seemed to intervene in the CORS exchange, even when it wasn't supposed to.
Removing it corrected the issue.

JSF ajax requests causing a page refresh on specific browser

I have a web application developed with Java 7, PrimeFaces 5 (JSF), Tomcat 7. Some time ago a user reported a defect from production environment where everything he clicked caused the page to be refreshed. I couldn't reproduce it then I forgot about it... but right now I just reproduced the issue, for the first time, running the application in my local machine. Any button I click, that triggers an ajax request, will be followed by a page refresh. I tried to restart tomcat and to clear Chrome's cache with CMD+SHIFT+R but I still can reproduce the issue.
I can reproduce on Google Chrome, but not on Firefox and Safari. I opened the network tab from Developer Tools from both Firefox and Chrome to compare the requests... but I still can't understand... does anybody have any idea what may be happening?
I will provide below the network activities for the following close event:
<p:panel id="myPanel" widgetVar="myPanelVar" closable="true">
<p:ajax event="close" listener="#{myBean.changeSomeVariables}" />
<h:outputText value="Example panel"/>
<a onclick="PF('myPanelVar').close();"><span class="ui-icon ui-icon-closethick"></span></a>
</p:panel>
Network activity from Firefox (working fine):
Request URL:http://localhost:8080/myMainPage;jsessionid=3BF25F4A5CF149326D3561C0F2002FB9
Request Method:POST
Status Code:200 OK
Remote Address:[::1]:8080
REQUEST HEADERS:
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8080/myMainPage
Content-Length: 309
Connection: keep-alive
RESPONSE HEADERS:
Cache-Control: no-cache, no-store, must-revalidate, no-cache
Content-Length: 335
Content-Type: text/xml;charset=UTF-8
Date: Sun, 21 Aug 2016 03:02:14 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
FORM DATA:
javax.faces.partial.ajax=true&javax.faces.source=myPanel&javax.faces.partial.execute=myPanel&javax.faces.behavior.event=close&javax.faces.partial.event=close&myHeaderForm=myHeaderForm&myHeaderForm%3Aemail=userTest&myHeaderForm%3Apassword=passTest&javax.faces.ViewState=3276447570579140768:319272761245257759
Network activity from Chrome (not working fine, I don't understand where the GET request is coming from):
Request URL:http://localhost:8080/myMainPage
Request Method:POST
Status Code:200 OK
Remote Address:[::1]:8080
REQUEST HEADERS:
POST /myMainPage HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 325
Origin: http://localhost:8080
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Referer: http://localhost:8080/myMainPage
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,pt;q=0.6
Cookie: JSESSIONID=5C1AE4DB6B1B5148BD81FD0E47002EA4
RESPONSE HEADERS:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B68E094F6CF3C5AD57D96F0D1823AEBD; Domain=.mySite.com; Path=/; HttpOnly
Cache-Control: no-cache
Content-Type: text/xml;charset=UTF-8
Content-Length: 76
Date: Sun, 21 Aug 2016 03:05:36 GMT
FORM DATA:
javax.faces.partial.ajax=true&javax.faces.source=myPanel&javax.faces.partial.execute=myPanel&javax.faces.behavior.event=close&javax.faces.partial.event=close&myHeaderForm=myHeaderForm&myHeaderForm%3Aemail=userTest&myHeaderForm%3Apassword=passTest&javax.faces.ViewState=8492705007558548241%3A8154221161100277529
__________________________________________________________
Request URL:http://localhost:8080/myMainPage
Request Method:GET
Status Code:200 OK
Remote Address:[::1]:8080
REQUEST HEADERS:
GET /myMainPage HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:8080/myMainPage
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,pt;q=0.6
Cookie: JSESSIONID=5C1AE4DB6B1B5148BD81FD0E47002EA4
RESPONSE HEADERS:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D352B9B5644288F3095D1A702075AFEB; Domain=.mySite.com; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Sun, 21 Aug 2016 03:05:36 GMT
Thanks

Chrome not setting cookie on AJAX POST

I do an AJAX POST to my webservice, and it sets 2 cookies in the response, but Chrome does not set them. Safari and Firefox do, however.
Here's the request:
POST /api/login HTTP/1.1
Host: 0.0.0.0:8080
Connection: keep-alive
Content-Length: 50
accept: application/json
Origin: http://0.0.0.0:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
content-type: application/json
Referer: http://0.0.0.0:8080/form
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6,de;q=0.4,fr;q=0.2,pl;q=0.2
Response:
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: X-HTTP-Method-Override, Accept-Encoding
x-frame-options: sameorigin
set-cookie: keystone.uid=s%3A55efe88923f753865f7a0985%3Ac5aT64aih9lxXi%2BNiSMr1rUJW4kzWyyNUforvUOrckk.JovuV%2FqeoQ32PiuyNPAZ7JcbIxXBcBvj%2FWFp8vf3SQQ; Path=/; HttpOnly
set-cookie: keystone.sid=s%3ADcv5el-TjLRkOSH9vNbvxQoOai-SQj-3.ZTfPFwEZp5mdVHSDZTukO%2FnrDnSpGU3OMW3tQu%2FSz7U; Path=/; HttpOnly
Content-Type: application/json; charset=utf-8
Content-Length: 224
ETag: W/"e0-B6OeRPdDEP0WPVdlZHqarA"
Date: Fri, 06 Nov 2015 14:39:37 GMT
Connection: keep-alive
I'm out of ideas. This doesn't work with a fully qualified domain name on port 80 either.
Found the solution:
You have send the request with credentials (XMLHttpRequest.withCredentials or e.g. credentials: 'include' for whatwg fetch).
Even though this is pointless since you're logging in and don't have any/have invalid cookies, it makes Chrome store the cookies from the returned answer. ¯\_(ツ)_/¯
As pointed out by #Anne, the XMLHTTPRequest specification actually requires user agents to disregard returned cookies unless withCredentials is specified. http://www.w3.org/TR/XMLHttpRequest/#the-withcredentials-attribute

Firefox/Mozilla personas errors -- URL change?

Has the location for Firefox/Mozilla personas changed? Looking at the error console I see:
GET https://addons.cdn.mozilla.net/en-US/firefox/_files/245568/firefoxtom.jpg [HTTP/1.1 404 Not Found 299ms]
Redownloading the persona gives:
GET https://addons.cdn.mozilla.net/user-media/addons/245568/firefoxtom.jpg [HTTP/1.1 200 OK 756ms]
For all my current personas, I only see the background color, not the image. Has something changed recently? Is there a workaround? FF 31. Thanks!
Hearing nothing, I'll assume it's a web server misconfiguration on Mozilla's part and that no one cares. Just for posterity, here is the request/response that I tried to post in comments above, but that didn't look very good.
https://addons.cdn.mozilla.net/_files/245568/firefoxtom.jpg?1288084876
Request Method: GET
Status Code: HTTP/1.1 301 Moved Permanently
Request Headers 09:25:39.000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Host: addons.cdn.mozilla.net
Connection: keep-alive
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Response Headers Δ305ms
X-Frame-Options: DENY
X-Backend-Server: web7
Vary: Accept-Language, User-Agent, X-Mobile
Strict-Transport-Security: max-age=31536000
Server: nginx
Location: https://addons.cdn.mozilla.net/en-US/firefox/_files/245568/firefoxtom.jpg?1288084876
Date: Sun, 07 Sep 2014 15:25:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: max-age=31536000

Resources