CORS Redirects to same domain are blocked

sdesmond46 commented 5 years ago

Troubleshooting checklist

There's a good chance the bug you're about to report is fixed in the new version of Brave

Download latest version of Brave from https://brave.com/download/
Import your data by navigating to brave://settings/importData

If you'd like to continue for this old version, please check the applicable items:

[X] Yes I did try the new version
[X] I believe this issue is critical for users (security issue, bug that prevents folks from using the software)
[X] I've read the FAQs and Common Issues section on community.brave.com (https://community.brave.com/c/common-issues)

Description

When attempting to make a CORS request from javascript, 307 redirect responses to the same domain are blocked. The error which appears is Access to fetch at 'https://cognito-idp.us-west-2.amazonaws.com/' from origin 'https://dashboard.nodesmith.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

In this example we are receiving a redirect (307) response, the redirect domain is exactly the same as the original, so the redirect should be allowed.

Here's what the request looks like

General Request URL: https://cognito-idp.us-west-2.amazonaws.com/ Request Method: OPTIONS Status Code: 307 Internal Redirect Referrer Policy: no-referrer-when-downgrade

Response Headers Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://dashboard.nodesmith.io Location: https://cognito-idp.us-west-2.amazonaws.com/ Non-Authoritative-Reason: Delegate

Request Headers Provisional headers are shown Access-Control-Request-Headers: content-type,x-amz-target,x-amz-user-agent Access-Control-Request-Method: POST Origin: https://dashboard.nodesmith.io Referer: https://dashboard.nodesmith.io/ User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36

I don't see the same issues in Chrome or Firefox. Additionally, if I enable 3rd party cookies for the page, the request will go through (I'm not quite sure how the 3rd party cookies are related to all this).

Steps to Reproduce

Edit: These steps no longer reproduce the issue because we switched out authentication system to get around this bug. There are plenty of other examples of the bug in the issue though.

Go to https://dashboard.nodesmith.io/#/logIn
Enter foo@bar.com for username and ABC123!@# for a password
Hit Log In

EXPECTED: Requests hit the IDP servers and notify that the password is invalid ACTUAL: CORS error on the 307 response

What version of Brave are you using?

0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)

pooleja commented 5 years ago

I am seeing this issue as well and can confirm it does not happen on Chrome/Firefox browsers (desktop). According to this thread the standard was updated to allow redirects.

https://stackoverflow.com/questions/34949492/cors-request-with-preflight-and-redirect-disallowed-workarounds

illestrater commented 5 years ago

Running into the same issue:

Access to fetch at 'https://api.spotify.com/v1/me/notifications/user?connection_id=xxxxxxx' from origin 'https://sdk.scdn.co' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

jmgasper commented 5 years ago

I see the same issue when attempting to login to https://topcoder.com. This does not happen on Chrome, Firefox, or Safari.

Access to fetch at 'https://topcoder.auth0.com/oauth/ro' from origin 'https://accounts.topcoder.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

superandrew213 commented 5 years ago

Seeing this too on my dev site. CORS has been set correctly and works fine on all other browsers.

Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)

olibri-us commented 5 years ago

+1 !

I have the exact same problem with a 307 Internal redirect on an OPTIONS call to my API. It appeared this morning after updating to : Version 0.57.18 Chromium: 71.0.3578.80 (Build officiel) (64 bits)

Works fine on Chrome 71 Version 71.0.3578.80 (Build officiel) (64 bits)

GuillermoCasanova commented 5 years ago

Seeing this issue as well, this site: http://www.humanaut.is/ works on Safari, Chrome and Firefox. But breaks entirely due to CORS error as seen in the console.

djuretic commented 5 years ago

It is also happening to me! I updated today and I get 307 redirect in calls to my API, and Chrome works fine.

Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)

lstrzebinczyk commented 5 years ago

Same thing here, worked just fine yesterday.

johnspurlock commented 5 years ago

Recently receiving this too [1]. This is bad, since all aws api gateway cors integrations work by redirecting the options request to itself. Works in other browsers.

[1] Version 0.57.8 Chromium: 71.0.3578.53 (Official Build) beta (64-bit)

bsclifton commented 5 years ago

Hey there folks! This is actually the repository for the older Muon based version of Brave

There is an issue tracking this though- please check out https://github.com/brave/brave-browser/issues/2252 and subscribe for updates 😄

brave / browser-laptop