Browser sends wrong/previous origin header after JS-redirect

Question

I'm working on an app that needs to access CORS-resources. In the app, users can change their subdomain (ie - from mysubdomain.myapp.com to mynewsubdomain.myapp.com).

The server reads the origin header and adds that subdomain to the allowed origins for CORS requests.

My issue is that after the user changes their subdomain, I perform a simple window.location.href = mynewsubdomain redirect, but this results in failed resource loading (JS and styles) with the error:

Font from origin 'http://localhost:7000' has been blocked from loading by Cross-Origin Resource Sharing policy: The 'Access-Control-Allow-Origin' header has a value 'http://old.myapp.dev' that is not equal to the supplied origin. Origin 'http://new.myapp.dev' is therefore not allowed access.

Inspecting the Network Requests in Chrome, I can see that the Origin in the Request Headers is still http://old.myapp.dev, which seems to be the issue here. Subsequent page loads work fine. Is there something I can do about this? Can I instruct the browser to use the correct (new) subdomain as the origin? Should I redirect in a different manner?

MDN says this about changing window.location.href: "Note that security settings, like CORS, may prevent this to effectively happen". But not much information that could help how to work around this.

Answer 1

I had the same issue when I tried to get the same file from another subdomain.

Solved that by adding "Vary: Origin" header to the response. Ref: https://forums.aws.amazon.com/thread.jspa?messageID=378304

Hope that works for you too.