Closed SilencerWeb closed 5 years ago
charlescrtr
commented
5 years ago Can confirm I'm seeing the same issue when trying to log in to https://prisma.io. Issue fixes itself when Shields are disabled.
Brave version Version 0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)
OrKoN
commented
5 years ago I experience the same problem when trying to perform a CORS request with Brave:
Brave | 0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)
-- | --
Revision | ca97ba107095b2a88cf04f9135463301e685cbb0-refs/branch-heads/3538@{#1094}
dwwoelfel
commented
5 years ago I think this is because Brave is stripping out the Origin header from the initial OPTIONS request.
JFrankfurt
commented
5 years ago I am seeing this all over the place now that I am looking for it. (In fact, I'm seeing it on this github page right now.) It has caused me some problems with calls to non-origin servers in my own work and broken dApp usage with Brave.
LukeDearden
commented
5 years ago Azure Portal is unusable in Brave because of this even with Shields down
SilencerWeb
commented
5 years ago Some of the charts from chart.js brokes because of this:
Here is the link to this example - https://www.chartjs.org/samples/latest/charts/line/multi-axis.html
bsclifton
commented
5 years ago Several +1s from https://github.com/brave/browser-laptop/issues/15319
renschler
commented
5 years ago I also have this error but even with shields down.
I am collecting sensitive information within an iframe with a cross-domain src (do I have to manually whitelist the iframe domain from brave shield also?).
The iframe page makes a fetch call to POST the information. I'm noticing the CORS preflight OPTIONS request has the origin set to null as @dwwoelfel mentioned. Not sure if that's why its failing? Things work in Firefox & Chrome.
sudokai
commented
5 years ago Same problem here. Gmail 2FA broken because of this.
On our website, https://www.wikiloc.com, we use Apple MapkitJS and all maps are broken as well.
More users reporting the same issue: https://community.brave.com/t/latest-update-broke-cors-for-my-webapp/39135
Breakage on The Guardian, Facebook and Instagram: https://community.brave.com/t/too-many-redirects-fb-ig-the-guardian/39543/2
olibri-us
commented
5 years ago Got a similar problem that I described there : https://github.com/brave/browser-laptop/issues/15319
SilencerWeb
commented
5 years ago Gosh, these shields block even request from Figma!
jmadkins
commented
5 years ago The users profile image doesn't load with Shields Up on the Azure Portal. Shields Down allows the profile image and some panes to load. However, the majority of panes don't load regardless of Shield settings.
Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)
petethompson
commented
5 years ago I'm experiencing the same cross-origin issue, with a javascript http request from one of my clients websites; requesting data from the service where they store their content. It seems like the Shield option for blocking cookies is responsible.
iefremov
commented
5 years ago This change seems to break all preflight CORS requests and hence all CORS requests that require preflight: https://github.com/brave/brave-core/pull/754/files
Since we always clean referrer for cross-origin requests, all these requests become redirects, and preflight redirects are not allowed by policy.
@bbondy @yrliou
iefremov
commented
5 years ago 
srirambv
commented
5 years ago CORS Policy breaks image upload on vistaprint.com. The only way to upload image is to disable shields and use the site.
srirambv
commented
5 years ago @iefremov the following issues are all CORS related.
tsujp
commented
5 years ago +1 spent a longer than reasonable amount of time trying to debug this for a project I am developing, affects Brave Browser ~only regardless of~ shields up ~or down~. Exact same project works fine under Firefox, Safari, and Chrome.
jonathansampson
commented
5 years ago @hito Are you sure that the issue you were facing is the same issue discussed here? The issue being discussed here is usually resolved by lowering the shields (or specifically, modifying the cookie-related settings, AFAIK). Are you able to share a link to the issue you're facing? Perhaps a reduced project to help us identify/confirm the root issue?
johnspurlock
commented
5 years ago @jonathansampson A repro case, but perhaps not the same one as @hito.
1077284887202316289 in the box, hit 'get convopage'This works fine with shields down, but fails with an error [1] with shields up, desktop mac brave version [2] below.
[1] Access to XMLHttpRequest at '
[2] Version 0.59.12 Chromium: 72.0.3626.17 (Official Build) beta (64-bit)
tsujp
commented
5 years ago Apologies @jonathansampson this isn't an issue with shields disabled, I mucked up there and will strike this part out of my response – this doesn't detract from the fact that silently editing CORS headers with the shield active (something almost all users will have) means this literally breaks some applications unless a proxy is used specifically for Brave, or if detection is added in js for Brave (all you could then do is display a modal asking to remove shields for this site.. which I wouldn't do if some random website asked me to).
Both of these aren't great. I think this needs to be the highest priority ticket to fix, especially given the number of issues surrounding CORS with Brave.
I've had to tell my friends who test my stuff sometimes to specifically disable their shields on test domains I give them, not good. I'd have to detect Brave and issue a modal for other users on production, or rebuild the entire API I am using through some proxy. Both of which I don't want to do.
eljuno
commented
5 years ago +1 from Community https://community.brave.com/t/cant-load-aws-logs/41473?u=eljuno
Brave-Matt
commented
5 years ago +1 from Community (most likely): https://community.brave.com/t/problem-with-spotify/41580/4
☝️ It seems to be causing Spotify to skip to a random track (when first attempting playback), land on one, but not actually play it. This can be consistently produced until Shields are dropped or All Cookies are allowed.
Console view:
Brave-Matt
commented
5 years ago I also get the same error on Amazon Prime video, but only in the Beta channel release (v0.59.14):
MisinformedDNA
commented
5 years ago I'm seeing this on https://portal.azure.com as well. Original issue.
I'm on Brave v0.58.18
cemerson
commented
5 years ago Azure Portal is unusable in Brave because of this even with Shields down
Ditto. Here's screen of messages in console when trying to approve credit card on Azure Signup Portal.
iefremov
commented
5 years ago Closed all dupes I could find. Not sure about #2580, cant test it quickly.
btlechowski
commented
5 years ago Verification passed on
| Brave | 0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit) |
|---|---|
| Revision | 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897} |
| OS | Windows 7 |
Used test plan from OP.
Verified passed with
| Brave | 0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit) |
|---|---|
| Revision | 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897} |
| OS | Mac OS X |
Verification PASSED on Mint 19.3 x64 VM using the following build:
| Brave | 0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit) |
|---|---|
| Revision | 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897} |
| OS | Linux |
olibri-us
commented
5 years ago Updated to 0.58.21 on Mac OS and it now works perfectly ! I love u guys ;) Keep the good work up !!!!
m-ret
commented
5 years ago I am having this issue right now on Version 0.63.48 Chromium: 74.0.3729.108 (Official Build) (64-bit).
Access to fetch at 'http://some/api/url' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
ghost
commented
5 years ago 0.63.55 Chromium: 74.0.3729.131 (Official Build) (64-bit)
I'm receiving the same CORS preflight error as others. prevents signing in to medium.com (via email, twitter, google, and fb). Issue persists with 'allow all cookies' enabled and with shields down
michaeltintiuc
commented
4 years ago Also happens on https://my.playstation.com/ for me with Brave 1.8.96 on Linux and works fine in Firefox
Consolidated Test plan from all related issues
Test plan
Open https://eslint-config-development.netlify.com.
Console should not log any CORS erros
Visit chart.js
Ensure chats are not broken
Console should not log any CORS erros
Visit https://www.wikiloc.com/mountain-biking-trails/la-quinta-cove-226486
Ensure maps shows correctly for both Satellite and Map
Console should not log any CORS erros
Open a new issue on Github with default shields settings
Try to upload an image
Should be able to upload image without any issues
Console should not log any CORS erros
Visit www.reddit.com
Locate a posted video hosted by reddit (https://www.reddit.com/r/Seattle/comments/9uhb5h/snoqualmie_falls_with_foliage_thanks_wa/)
Ensure video plays without any issue
Visit https://d.tube and open any video
Video should start streaming
Console should not log any CORS erros
Go to namecheap.com
Search for a domain
Search result should show up
Console should not log any CORS erros
Go to https://www.skill-capped.com/
Login shuold be successful
Console should not log any CORS erros
Original issue Description
I have a website deployed on netlify that makes requests to the server that deployed to heroku, they both are on different domains. I enabled CORS in my server setup but I keep getting error
Access to fetch at 'https://eslint-config-api-server.herokuapp.com/' from origin 'https://eslint-config-development.netlify.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.. Works like that only in Brave.Steps to Reproduce
Brave version (brave://version info)
0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)
Reproducible on current release:
Website problems only: