Skip to content
This repository has been archived by the owner on Jul 21, 2021. It is now read-only.

CORS requests fail when cookie-less domains are set to allow xhr but block cookies [facebook] [firefox] #369

Open
berrythesoftwarecodeprogrammar opened this issue Sep 29, 2015 · 5 comments

Comments

@berrythesoftwarecodeprogrammar

not sure if this is an issue, it isnt an issue to me any longer, but it was interesting and might be helpful to the developer or to other users so i thought i'd document it.

for a few days i had xhr allowed for all facebook domains but had cookies blocked on a few of them (domains which didnt even set cookies in the first place) (dont ask me why but i did it and it caused problems and only now did i realise that was the issue)
e.g.
facebook.com 1st-party cookie allow
facebook.com 1st-party xhr allow
facebook.com 0-edge-chat.facebook.com cookie block
facebook.com 1-edge-chat.facebook.com cookie block
etc.

the *-edge-chat. subdomains never set cookies but i blocked them from doing so anyway, and they still had xhr enabled. but facebook notifications stopped working and i had to hard refresh pages to see updates. then i looked in the firefox console and saw lots of messages like this:

03:11:31.663 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://2-edge-chat.facebook.com/pull?channel=p_100009048180067&seq=0&partition=-2&clientid=2f1bec8c&cb=liny&idle=60&qp=y&cap=8&msgs_recv=0&uid=100009048180067&viewer_uid=100009048180067&msgr_region=ATN. (Reason: CORS header 'Access-Control-Allow-Origin' missing).1

removing the cookie blocks fixed it. so for some reason blocking cookies on domains with umatrix even when they dont set cookies, blocks CORS requests to them?? anyway it was stupid to add those in the first place so i removed them and its fixed. but yeah not sure if thats intended behaviour or not.

@gorhill
Copy link
Owner

gorhill commented Sep 29, 2015

Do you see any Cookie header in the request headers for *-edge-chat.facebook.com? Cookies from facebook.com could be sent if they are allowed to be sent to subdomains. The domain for such cookies start with a ..

@berrythesoftwarecodeprogrammar
Copy link
Author

hmm i guess i do?

https://2-edge-chat.facebook.com/pull?channel=p_100009185400624&seq=0&partition=-2&clientid=475e63f0&cb=fa6g&idle=22&qp=y&cap=8&wtc=9%2C1%2C0.000%2C9%2C9&msgs_recv=0&uid=100009185400624&viewer_uid=100009185400624&sticky_token=320&sticky_pool=ash2c06_chat-proxy&state=offline&mode=stream&format=json

GET /pull?channel=p_100009185400624&seq=0&partition=-2&clientid=475e63f0&cb=fa6g&idle=22&qp=y&cap=8&wtc=9%2C1%2C0.000%2C9%2C9&msgs_recv=0&uid=100009185400624&viewer_uid=100009185400624&sticky_token=320&sticky_pool=ash2c06_chat-proxy&state=offline&mode=stream&format=json HTTP/1.1
Host: 2-edge-chat.facebook.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
origin: https://www.facebook.com
Cookie: aa4d9c98f8b33ddbc0360f419fe0de126c0b5807bf245a236a26d95496cd1518
Connection: keep-alive

HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: https://www.facebook.com
Cache-Control: private, no-store, no-cache, must-revalidate
Content-Encoding: gzip
Content-Type: application/json
Date: Tue, 29 Sep 2015 04:15:13 GMT
Pragma: no-cache
x-frame-options: DENY
X-Firefox-Spdy: 3.1

i encrypted the cookie data

@berrythesoftwarecodeprogrammar
Copy link
Author

and yeah i just looked at my cookie list and all of the facebook ones are set for ".facebook.com"

@berrythesoftwarecodeprogrammar
Copy link
Author

so like is this an issue? i guess some cross site requests to domains are using cookies without permission and without any indication so that could be an issue. dont know of any other sites where this happens though and in this case its kinda needed for the site to not break

@Atavic
Copy link

Atavic commented Mar 27, 2017

Cache-Control: must-revalidate

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants