Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?

by

Why does it work in Chrome and not Firefox?

The W3 spec for CORS preflight requests clearly states that user credentials should be excluded. There is a bug in Chrome and WebKit where OPTIONS requests returning a status of 401 still send the subsequent request.

Firefox has a related bug filed that ends with a link to the W3 public webapps mailing list asking for the CORS spec to be changed to allow authentication headers to be sent on the OPTIONS request at the benefit of IIS users. Basically, they are waiting for those servers to be obsoleted.

How can I get the OPTIONS request to send and respond consistently?

Simply have the server (API in this example) respond to OPTIONS requests without requiring authentication.

Kinvey did a good job expanding on this while also linking to an issue of the Twitter API outlining the catch-22 problem of this exact scenario interestingly a couple weeks before any of the browser issues were filed.

More Related Contents:

  1. Origin is not allowed by Access-Control-Allow-Origin
  2. Response to preflight request doesn’t pass access control check
  3. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  4. how to bypass Access-Control-Allow-Origin?
  5. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  6. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  7. No ‘Access-Control-Allow-Origin’ header is present on the requested resource error
  8. Cross-Origin Read Blocking (CORB)
  9. Origin is not allowed by Access-Control-Allow-Origin
  10. CORS error on same domain?
  11. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  12. Understanding AJAX CORS and security considerations
  13. AngularJS POST Fails: Response for preflight has invalid HTTP status code 404
  14. Is CORS a secure way to do cross-domain AJAX requests?
  15. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  16. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  17. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  18. How to allow CORS in react.js?
  19. Cross-origin resource sharing (CORS) concept
  20. CORS cookie credentials from mobile WebView loaded locally with file://
  21. CORS error for application running from file:// scheme
  22. Solve Cross Origin Resource Sharing with Flask
  23. How to Detect Cross Origin (CORS) Error vs. Other Types of Errors for XMLHttpRequest() in Javascript
  24. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  25. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  26. CORS error with jquery
  27. Trying to use fetch and pass in mode: no-cors
  28. Sequencing ajax requests
  29. CORS not working on Chrome
  30. How to set a header for a HTTP GET request, and trigger file download?

Leave a Comment