Reputation: 5729
Referrer and origin preflight request headers in Safari are not changing when user navigates
I have two web pages hosted on a.example.com and b.example. Each web page is including a script with a <script> tag, hosted on another domain and served with correct CORS headers.
At a certain point, user navigates from a.example.com to b.example.com.
Safari has here a strange behavior: the referrer and origin headers in preflight request are filled with a.example.com, making the server sending a bad value in Access-Control-Allow-Origin (and so the script can't be executed).
Is there a way to force Safari browser to send correct origin header in that kind of scenario ?
Upvotes: 5
Views: 844
Answers (2)
Reputation: 5729
It seemed to be indeed a Safari bug.
The issue is not reproductible on Safari 10.0. It repro only on Safari 9.1.1 / 9.1.3.
Upvotes: 0
Reputation: 6391
Does the cache policy for the script include Vary: Origin?
Respectively is there actually a second request after navigating to b.example.com?
If not, there is a chance that Safari is actually serving the script from cache - despite the Access-Control-Allow-Origin policy forbidding it to access the resource. Which is a conforming behavior, if the cache policy isn't configured correctly.
Upvotes: 1
Related Questions
- CORS error despite Access-Control-Allow-Origin header in preflight response
- Browser sends wrong/previous origin header after JS-redirect
- handling CORS preflight request in Apache
- Safari rejects redirected CORS request due to browser-set headers
- CORS HEADERS present only on preflight or every request
- Why is request preflighted if I add a standard http header when using cors?
- Safari fails CORS request after 302 redirect
- No Referer header in CORS request from IE or Firefox
- Safari doesn't send `referer` header
- Issue in getting custom header in Safari