CORS request failing only when requesting the same resource from another domain

Question

When requesting the same remote resource from pages on different hosts the requests succeeds on the first request and on subsequent requests from pages on the same host but fails on pages on another host. I've seen this behaviour both in firefox and chromium but strangely enough not always.

To try it out check out, access these pages in any order:

• http://lodide.io/test-cors.html
• http://test.lodide.io/test-cors.html

After pressing the "Request data" button on the first page you will see a dialog with the contents of the remote resource, if you try to do the same on the other host you might see the following on the browser console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.w3.org/People/Berners-Lee/card.rdf. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://test.lodide.io').

It seems that the browser is caching some inferred Access-Control-Allow-Origin-Header and then complaining that the new host doesn't match. Note that the server actually return "*" as value of the header.

Is there a way to work around this problem by programmatically disabling caching when issuing the XMLHttpRequest?

Answer 1

I think the problem you are encountering is that w3.org is not using the Vary header, despite varying the value of Access-Control-Allow-Origin on the request. See https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches.