How to Detect Cross Origin (CORS) Error vs. Other Types of Errors for XMLHttpRequest() in Javascript

by

No, there is no way to tell the difference, according the W3C Spec.

Here’s how the CORS specification specifies the simple cross-origin request procedure:

Apply the make a request steps and observe the request rules below while making the request.

If the manual redirect flag is unset and the response has an HTTP status code of 301, 302, 303, 307, or 308: Apply the redirect steps.

If the end user cancels the request: Apply the abort steps.

If there is a network error: In case of DNS errors, TLS negotiation failure, or other type of network errors, apply the network error steps. Do not request any kind of end user interaction…

Otherwise: Perform a resource sharing check. If it returns fail, apply the network error steps

In the case of either a failed network connection or a failed CORS exchange, the network error steps are applied, so there is literally no way to distinguish between the two cases.

Why? One benefit is that it prevents an attacker from inspecting the network topology of a LAN. For example, a malicious Web page script could find the IP address of your router by requesting its HTTP interface and therefore learn a few things about your network topology (e.g., how big your private IP block is, /8 or /16). Since your router doesn’t (or shouldn’t) send CORS headers, the script learns absolutely nothing.

More Related Contents:

  1. Origin is not allowed by Access-Control-Allow-Origin
  2. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  3. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  4. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  5. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  6. How to enable CORS in AngularJs
  7. Origin null is not allowed by Access-Control-Allow-Origin
  8. Add a “hook” to all AJAX requests on a page
  9. What is the cleanest way to get the progress of JQuery ajax request?
  10. Cross-Origin Read Blocking (CORB)
  11. XMLHttpRequest status 0 (responseText is empty)
  12. Is onload equal to readyState==4 in XMLHttpRequest?
  13. What do the different readystates in XMLHttpRequest mean, and how can I use them?
  14. Catching an Access-Control-Allow-Origin error in JavaScript
  15. Is CORS a secure way to do cross-domain AJAX requests?
  16. WebKit “Refused to set unsafe header ‘content-length'”
  17. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  18. Intercept fetch() API requests and responses in JavaScript
  19. CORS cookie credentials from mobile WebView loaded locally with file://
  20. XMLHttpRequest to Post HTML Form
  21. Get HTML code using JavaScript with a URL
  22. Is it possible for XHR HEAD requests to not follow redirects (301 302)
  23. Overriding XMLHttpRequest.open()
  24. XMLHttpRequest 206 Partial Content
  25. Ajax – 500 Internal Server Error
  26. Reuse XMLHttpRequest object or create a new one?
  27. Differentiating Between an AJAX Call / Browser Request
  28. Adding X-CSRF-Token header globally to all instances of XMLHttpRequest();
  29. CORS error with jquery
  30. XMLHttpRequest testing in Jest

Leave a Comment