This repository has been archived by the owner on Jul 21, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 474
CORS requests fail when cookie-less domains are set to allow xhr but block cookies [facebook] [firefox] #369
Comments
Do you see any |
hmm i guess i do?
i encrypted the cookie data |
and yeah i just looked at my cookie list and all of the facebook ones are set for ".facebook.com" |
so like is this an issue? i guess some cross site requests to domains are using cookies without permission and without any indication so that could be an issue. dont know of any other sites where this happens though and in this case its kinda needed for the site to not break |
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
not sure if this is an issue, it isnt an issue to me any longer, but it was interesting and might be helpful to the developer or to other users so i thought i'd document it.
for a few days i had xhr allowed for all facebook domains but had cookies blocked on a few of them (domains which didnt even set cookies in the first place) (dont ask me why but i did it and it caused problems and only now did i realise that was the issue)
e.g.
facebook.com 1st-party cookie allow
facebook.com 1st-party xhr allow
facebook.com 0-edge-chat.facebook.com cookie block
facebook.com 1-edge-chat.facebook.com cookie block
etc.
the *-edge-chat. subdomains never set cookies but i blocked them from doing so anyway, and they still had xhr enabled. but facebook notifications stopped working and i had to hard refresh pages to see updates. then i looked in the firefox console and saw lots of messages like this:
03:11:31.663 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://2-edge-chat.facebook.com/pull?channel=p_100009048180067&seq=0&partition=-2&clientid=2f1bec8c&cb=liny&idle=60&qp=y&cap=8&msgs_recv=0&uid=100009048180067&viewer_uid=100009048180067&msgr_region=ATN. (Reason: CORS header 'Access-Control-Allow-Origin' missing).1
removing the cookie blocks fixed it. so for some reason blocking cookies on domains with umatrix even when they dont set cookies, blocks CORS requests to them?? anyway it was stupid to add those in the first place so i removed them and its fixed. but yeah not sure if thats intended behaviour or not.
The text was updated successfully, but these errors were encountered: