Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS AllowAnyHeader issue with Firefox #3684

Closed
rbanks54 opened this issue Oct 19, 2018 · 3 comments
Closed

CORS AllowAnyHeader issue with Firefox #3684

rbanks54 opened this issue Oct 19, 2018 · 3 comments
Assignees
@pranavkm
Labels
area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates bug This issue describes a behavior which is not expected - a bug. Done This issue has been fixed
Milestone
2.2.0

Comments

@rbanks54
Copy link

Describe the bug

The AllowAnyHeader() behaviour for seems to have changed between 2.0 and 2.2-preview3 and this causes problems with Firefox.
Previously preflight requests would return an Access-Control-Allow-Header containing the headers in the client request. This seems to have changed so that the server now returns a wildcard ('*') response.
Unfortunately the wildcard response appears to causes issue with Firefox. Chrome and Edge work correctly, however.

To Reproduce

Originally reported at: IdentityServer/IdentityServer4#2731.
You'll find more details there, including some repro steps.

Expected behavior

Return to previous behaviour, rather returning the wildcard response
@blowdart
Copy link
Contributor

Probably related to #3106 ?

@pranavkm pranavkm self-assigned this Oct 26, 2018
@pranavkm pranavkm added this to the 2.2.0 milestone Oct 26, 2018
pranavkm added a commit to aspnet/CORS that referenced this issue Oct 26, 2018
@pranavkm
Reflect Access-Control-Request-Headers and Access-Control-Request-Met…
c177f0a 
…hod when policy is configured to support wildcard

Fixes dotnet/aspnetcore#3684
@pranavkm pranavkm mentioned this issue Oct 26, 2018
Merged
@pranavkm pranavkm added bug This issue describes a behavior which is not expected - a bug. 2 - Working labels Oct 26, 2018
pranavkm added a commit to aspnet/CORS that referenced this issue Oct 26, 2018
@pranavkm
Reflect Access-Control-Request-Headers and Access-Control-Request-Met…
a74235c 
…hod when policy is configured to support wildcard

Fixes dotnet/aspnetcore#3684
@pranavkm pranavkm added Done This issue has been fixed and removed 2 - Working labels Oct 26, 2018
@pranavkm
Copy link
Contributor

Thanks for the bug report! Seems like an issue with Firefox. We changed the code to reflect the Access-Control-Request-Headers and Access-Control-Request-Method when the policy supports wildcard. We were already doing this when the policy was configured to support credentials. We'll continue to respond with * in the Access-Control-Allow-Origin header if the policy is configured to support all origins and supports credentials. This is a mitigation for #3106.

@rbanks54
Copy link
Author

rbanks54 commented Nov 1, 2018

Confirmed this works now using the latest nightly build (2.2.100-rtm-009571)

@Eilon Eilon added area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates and removed repo:CORS labels Nov 26, 2018
@dotnet dotnet locked as resolved and limited conversation to collaborators Dec 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pranavkm pranavkm

Labels
area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates bug This issue describes a behavior which is not expected - a bug. Done This issue has been fixed
Projects
None yet
Milestone
2.2.0
Development

No branches or pull requests
4 participants
@pranavkm @Eilon @rbanks54 @blowdart