GitHub's "Download raw file" doesn't work with CORS error

HashidaTKS commented 6 months ago

Describe the bug

GitHub's "Download raw file" button doesn't work on CEF v120 or later. It works fine on CEF v119.

To Reproduce

Download cefclient.exe from https://cef-builds.spotifycdn.com/index.html#windows32
Open https://github.com/chromiumembedded/cef ... /README.md
Click a "Download raw file" button

Then, downloading doesn't start.

By tracing, the following CORS error was logged.

{
"args": {
"message": {
"content": "Access to fetch at 'https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md' (redirected from 'https://github.com/chromiumembedded/cef/raw/master/README.md') from origin 'https://github.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.",
"url": "https://github.com/chromiumembedded/cef/blob/master/README.md"
},
"source": "JS"
},
"cat": "blink.console",
"name": "ConsoleMessage::Error",
"ph": "I",
"pid": 17392,
"s": "t",
"tid": 17084,
"ts": 327178865475,
"tts": 6476426
},

Expected behavior

We can download raw files.

Screenshots

N/A

Versions (please complete the following information):

OS: Windows 10
CEF Version: v120 or later
- As mentioned above, It works correctly in v119.

I have confirmed only on Windows, not confirmed whether this occurs on other platforms.

Additional context

The "Download raw file" button works fine on Google Chrome v123.0.6312.86.

Spartan-Hex-Shadow commented 6 months ago

Want to add that this could potentially be a result of the change of how CORS is handled between V119 and V120 V119 - https://github.com/chromiumembedded/cef/blob/6045/libcef/browser/net_service/proxy_url_loader_factory.cc V120 - https://github.com/chromiumembedded/cef/blob/6099/libcef/browser/net_service/proxy_url_loader_factory.cc

// Match logic in network::cors::ShouldCheckCors.
  bool should_check_cors =
      is_cross_origin &&
      request_.mode != network::mojom::RequestMode::kNavigate &&
      request_.mode != network::mojom::RequestMode::kNoCors;

  if (should_check_cors && !is_cors_enabled_scheme &&
      !HasCrossOriginWhitelistEntry(*request_.request_initiator,
                                    url::Origin::Create(request_.url))) {
    // Fail requests if a CORS check is required and the scheme is not CORS
    // enabled. This matches the error condition that would be generated by
    // CorsURLLoader::StartRequest in the network process.
    SendErrorStatusAndCompleteImmediately(
        network::URLLoaderCompletionStatus(network::CorsErrorStatus(
            network::mojom::CorsError::kCorsDisabledScheme)));
    return;
  }
"""

Spartan-Hex-Shadow commented 5 months ago

@magreenblatt any update on this?

magreenblatt commented 4 months ago

Access to fetch at 'https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md' (redirected from 'https://github.com/chromiumembedded/cef/raw/master/README.md') from origin 'https://github.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

The request contains credentials (cookies) and the response has an empty access-control-allow-origin value (see below), which is technically not allowed. We should look at why this is being converted to Access-Control-Allow-Origin: * when it should instead (probably) be treated as a missing Access-Control-Allow-Origin header.

There might also be a problem with missing related website sets support with the CEF-side CORS checks.

Details

The request/response contents with and without --disable-request-handling-for-testing are the same.

Without --disable-request-handling-for-testing (redirect is blocked):

t=2342 [st=14]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=3]
t=2343 [st=15]          HTTP_TRANSACTION_HTTP2_SEND_REQUEST_HEADERS
                        --> :method: GET
                            :authority: github.com
                            :scheme: https
                            :path: /chromiumembedded/cef/raw/master/README.md
                            sec-ch-ua: "Chromium";v="125", "Not.A/Brand";v="24"
                            sec-ch-ua-mobile: ?0
                            user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
                            sec-ch-ua-platform: "Windows"
                            accept: */*
                            cookie: [472 bytes were stripped]
                            sec-fetch-site: same-origin
                            sec-fetch-mode: cors
                            sec-fetch-dest: empty
                            referer: https://github.com/chromiumembedded/cef/blob/master/README.md
                            accept-encoding: gzip, deflate, br, zstd
                            accept-language: en
                            priority: u=1, i
t=2345 [st=17]       -HTTP_TRANSACTION_SEND_REQUEST
t=2345 [st=17]       +HTTP_TRANSACTION_READ_HEADERS  [dt=39]
t=2383 [st=55]          HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                        --> HTTP/1.1 302
                            server: GitHub.com
                            date: Mon, 06 May 2024 16:42:13 GMT
                            content-type: text/html; charset=utf-8
                            vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                            access-control-allow-origin: 
                            location: https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md
                            cache-control: no-cache
                            strict-transport-security: max-age=31536000; includeSubdomains; preload
                            x-frame-options: deny
                            x-content-type-options: nosniff
                            x-xss-protection: 0
                            referrer-policy: no-referrer-when-downgrade
                            content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
                            content-length: 0
                            x-github-request-id: DD4B:212569:1E16FA9:2BD48DA:66390872

With --disable-request-handling-for-testing (redirect works):

t=2317 [st=139]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=2]
t=2317 [st=139]          HTTP_TRANSACTION_HTTP2_SEND_REQUEST_HEADERS
                         --> :method: GET
                             :authority: github.com
                             :scheme: https
                             :path: /chromiumembedded/cef/raw/master/README.md
                             sec-ch-ua: "Chromium";v="125", "Not.A/Brand";v="24"
                             sec-ch-ua-mobile: ?0
                             user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
                             sec-ch-ua-platform: "Windows"
                             accept: */*
                             sec-fetch-site: same-origin
                             sec-fetch-mode: cors
                             sec-fetch-dest: empty
                             referer: https://github.com/chromiumembedded/cef/blob/master/README.md
                             accept-encoding: gzip, deflate, br, zstd
                             accept-language: en
                             cookie: [456 bytes were stripped]
                             priority: u=1, i
t=2319 [st=141]       -HTTP_TRANSACTION_SEND_REQUEST
t=2319 [st=141]       +HTTP_TRANSACTION_READ_HEADERS  [dt=100]
t=2357 [st=179]          HTTP2_STREAM_UPDATE_SEND_WINDOW
                         --> delta = 67043329
                         --> stream_id = 1
                         --> window_size = 67108864
t=2419 [st=241]          HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                         --> HTTP/1.1 302
                             server: GitHub.com
                             date: Mon, 06 May 2024 16:47:21 GMT
                             content-type: text/html; charset=utf-8
                             vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                             access-control-allow-origin: 
                             location: https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md
                             cache-control: no-cache
                             strict-transport-security: max-age=31536000; includeSubdomains; preload
                             x-frame-options: deny
                             x-content-type-options: nosniff
                             x-xss-protection: 0
                             referrer-policy: no-referrer-when-downgrade
                             content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
                             content-length: 0
                             x-github-request-id: DE4A:339012:1B34626:277F608:66390999

And then the redirect request:

t=2598 [st=420]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=2]
t=2598 [st=420]          HTTP_TRANSACTION_HTTP2_SEND_REQUEST_HEADERS
                         --> :method: GET
                             :authority: raw.githubusercontent.com
                             :scheme: https
                             :path: /chromiumembedded/cef/master/README.md
                             sec-ch-ua: "Chromium";v="125", "Not.A/Brand";v="24"
                             sec-ch-ua-mobile: ?0
                             user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
                             sec-ch-ua-platform: "Windows"
                             accept: */*
                             origin: https://github.com
                             sec-fetch-site: cross-site
                             sec-fetch-mode: cors
                             sec-fetch-dest: empty
                             referer: https://github.com/chromiumembedded/cef/blob/master/README.md
                             accept-encoding: gzip, deflate, br, zstd
                             accept-language: en
                             if-none-match: W/"fc4d2de1daa98a975391cab2c53695f0e40b4a06e1ba2c057a879377cc012f4d"
                             priority: u=1, i
t=2600 [st=422]       -HTTP_TRANSACTION_SEND_REQUEST
t=2600 [st=422]       +HTTP_TRANSACTION_READ_HEADERS  [dt=94]
t=2694 [st=516]          HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                         --> HTTP/1.1 304
                             date: Mon, 06 May 2024 16:47:21 GMT
                             via: 1.1 varnish
                             cache-control: max-age=300
                             etag: W/"fc4d2de1daa98a975391cab2c53695f0e40b4a06e1ba2c057a879377cc012f4d"
                             x-served-by: cache-dtw8024-DTW
                             x-cache: HIT
                             x-cache-hits: 0
                             x-timer: S1715014042.790635,VS0,VE72
                             vary: Authorization,Accept-Encoding,Origin
                             access-control-allow-origin: *
                             cross-origin-resource-policy: cross-origin
                             x-fastly-request-id: b6c950def2ca203f1b1aef494fd78d38e4c3014d
                             expires: Mon, 06 May 2024 16:52:21 GMT

magreenblatt commented 4 months ago

The request contains credentials (cookies) and the response has an empty access-control-allow-origin value (see below), which is technically not allowed. We should look at why this is being converted to Access-Control-Allow-Origin: * when it should instead (probably) be treated as a missing Access-Control-Allow-Origin header.

It's actually failing the CORS preflight request for "https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md" in the network process.

Call stack:

>   network_cpp.dll!network::cors::CheckAccess(const GURL & response_url, const std::__Cr::optional<std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>> & allow_origin_header, const std::__Cr::optional<std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>> & allow_credentials_header, network::mojom::CredentialsMode credentials_mode, const url::Origin & origin) Line 164   C++
    network_cpp.dll!network::cors::CheckAccessAndReportMetrics(const GURL & response_url, const std::__Cr::optional<std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>> & allow_origin_header, const std::__Cr::optional<std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>> & allow_credentials_header, network::mojom::CredentialsMode credentials_mode, const url::Origin & origin) Line 229   C++
    services_network_network_service.dll!network::cors::CorsURLLoader::OnReceiveResponse(mojo::StructPtr<network::mojom::URLResponseHead> response_head, mojo::ScopedHandleBase<mojo::DataPipeConsumerHandle> body, std::__Cr::optional<mojo_base::BigBuffer> cached_metadata) Line 606 C++

Request:

-       request_    {method=0x0000023d16112178 "GET" url=0x0000023d15c79040 "https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md" ...}  network::ResourceRequest
+       method  0x0000023d16112178 "GET"    std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>
+       url 0x0000023d15c79040 "https://raw.githubusercontent.com/chromiumembedded/cef/master/README.md"    GURL
+       site_for_cookies    {site_={site_as_origin_={tuple_={scheme_=0x0000023d16112208 "https" host_=0x0000023d16112220 "github.com" ...} ...} } ...}  net::SiteForCookies
        update_first_party_url_on_redirect  false   bool
+       request_initiator   {tuple_={scheme_=0x0000023d16112268 "https" host_=0x0000023d16112280 "github.com" port_=0x01bb } nonce_=...}    std::__Cr::optional<url::Origin>
+       isolated_world_origin   nullopt std::__Cr::optional<url::Origin>
+       navigation_redirect_chain   { size=0x0000000000000000 } std::__Cr::vector<GURL,std::__Cr::allocator<GURL>>
+       referrer    0x0000023d15c7ad80 "https://github.com/chromiumembedded/cef/blob/master/README.md"  GURL
        referrer_policy CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE (0x00000000)    net::ReferrerPolicy
-       headers {headers_={ size=0x000000000000000b } } net::HttpRequestHeaders
-       headers_    { size=0x000000000000000b } std::__Cr::vector<net::HttpRequestHeaders::HeaderKeyValuePair,std::__Cr::allocator<net::HttpRequestHeaders::HeaderKeyValuePair>>
+       [0x00000000]    {key=0x0000023d15c40910 "sec-ch-ua" value=0x0000023d160d7050 "\"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"" }   net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000001]    {key=0x0000023d15c40940 "sec-ch-ua-mobile" value=0x0000023d15c40958 "?0" }  net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000002]    {key=0x0000023d15c40970 "User-Agent" value=0x0000023d15c2bfb0 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" }   net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000003]    {key=0x0000023d15c409a0 "sec-ch-ua-platform" value=0x0000023d15c409b8 "\"Windows\"" }   net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000004]    {key=0x0000023d15c409d0 "Accept" value=0x0000023d15c409e8 "*/*" }   net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000005]    {key=0x0000023d15c40a00 "Sec-Fetch-Site" value=0x0000023d15c40a18 "same-origin" }   net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000006]    {key=0x0000023d15c40a30 "Sec-Fetch-Mode" value=0x0000023d15c40a48 "cors" }  net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000007]    {key=0x0000023d15c40a60 "Sec-Fetch-Dest" value=0x0000023d15c40a78 "empty" } net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000008]    {key=0x0000023d15c40a90 "Referer" value=0x0000023d15fb1200 "https://github.com/chromiumembedded/cef/blob/master/README.md" }    net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x00000009]    {key=0x0000023d15c40ac0 "Accept-Encoding" value=0x0000023d158addd0 "gzip, deflate, br, zstd" }  net::HttpRequestHeaders::HeaderKeyValuePair
+       [0x0000000a]    {key=0x0000023d15c40af0 "Origin" value=0x0000023d15c40b08 "https://github.com" }    net::HttpRequestHeaders::HeaderKeyValuePair
+       [Raw View]  {__begin_=0x0000023d15c40910 {key=0x0000023d15c40910 "sec-ch-ua" value=0x0000023d160d7050 "\"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"" } ...} std::__Cr::vector<net::HttpRequestHeaders::HeaderKeyValuePair,std::__Cr::allocator<net::HttpRequestHeaders::HeaderKeyValuePair>>
+       cors_exempt_headers {headers_={ size=0x0000000000000000 } } net::HttpRequestHeaders
        load_flags  0x00024000  int
        resource_type   0x0000000d  int
        priority    MEDIUM (0x00000004) net::RequestPriority
        priority_incremental    true    bool
        cors_preflight_policy   kConsiderPreflight (0x00000000) network::mojom::CorsPreflightPolicy
        originated_from_service_worker  false   bool
        skip_service_worker false   bool
        mode    kCors (0x00000002)  network::mojom::RequestMode
        required_ip_address_space   kUnknown (0x00000003)   network::mojom::IPAddressSpace
        credentials_mode    kInclude (0x00000002)   network::mojom::CredentialsMode
        redirect_mode   kFollow (0x00000000)    network::mojom::RedirectMode
+       fetch_integrity 0x0000023d16112408 ""   std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>
        destination kEmpty (0x00000000) network::mojom::RequestDestination
        original_destination    kEmpty (0x00000000) network::mojom::RequestDestination
+       request_body    null    scoped_refptr<network::ResourceRequestBody>
        keepalive   false   bool
        browsing_topics false   bool
        ad_auction_headers  false   bool
        shared_storage_writable_eligible    false   bool
        has_user_gesture    true    bool
        enable_load_timing  true    bool
        enable_upload_progress  false   bool
        do_not_prompt_for_login false   bool
        is_outermost_main_frame true    bool
        transition_type 0x00000000  int
        previews_state  0x00000000  int
        upgrade_if_insecure true    bool
        is_revalidating false   bool
+       throttling_profile_id   nullopt std::__Cr::optional<base::UnguessableToken>
+       custom_proxy_pre_cache_headers  {headers_={ size=0x0000000000000000 } } net::HttpRequestHeaders
+       custom_proxy_post_cache_headers {headers_={ size=0x0000000000000000 } } net::HttpRequestHeaders
+       fetch_window_id nullopt std::__Cr::optional<base::UnguessableToken>
+       devtools_request_id nullopt std::__Cr::optional<std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>
+       devtools_stack_id   nullopt std::__Cr::optional<std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>
        is_fetch_like_api   true    bool
        is_fetch_later_api  false   bool
        is_favicon  false   bool
+       recursive_prefetch_token    nullopt std::__Cr::optional<base::UnguessableToken>
+       trusted_params  nullopt std::__Cr::optional<network::ResourceRequest::TrustedParams>
+       trust_token_params  {ptr_={ptr_=empty } }   network::OptionalTrustTokenParams
+       web_bundle_token_params nullopt std::__Cr::optional<network::ResourceRequest::WebBundleTokenParams>
+       devtools_accepted_stream_types  nullopt std::__Cr::optional<std::__Cr::vector<net::SourceStream::SourceType,std::__Cr::allocator<net::SourceStream::SourceType>>>
+       net_log_create_info {type=URL_REQUEST (0x00000001) id=0x0000033e start_time={...} } std::__Cr::optional<net::NetLogSource>
+       net_log_reference_info  nullopt std::__Cr::optional<net::NetLogSource>
        target_ip_address_space kUnknown (0x00000003)   network::mojom::IPAddressSpace
        has_storage_access  false   bool
        attribution_reporting_support   kWeb (0x00000000)   network::mojom::AttributionSupport
        attribution_reporting_eligibility   kUnset (0x00000000) network::mojom::AttributionReportingEligibility
+       attribution_reporting_runtime_features  {enums_={...} } base::EnumSet<network::AttributionReportingRuntimeFeature,0,0>
        shared_dictionary_writer_enabled    true    bool
+       attribution_reporting_src_token nullopt std::__Cr::optional<base::UnguessableToken>
        is_ad_tagged    false   bool

Response headers:

HTTP/1.1200
date:Mon,06May202417:35:02GMT
via:1.1varnish
cache-control:max-age=300
x-served-by:cache-dtw8023-DTW
x-cache:HIT
x-cache-hits:0
x-timer:S1715016903.828258,VS0,VE74
vary:Authorization,Accept-Encoding,Origin
access-control-allow-origin:*
cross-origin-resource-policy:cross-origin
x-fastly-request-id:ca5bde052bd83d831e9f27334c2a6d8b0f2bc903
expires:Mon,06May202417:40:02GMT
content-security-policy:default-src'none';style-src'unsafe-inline';sandbox
content-type:text/plain;charset=utf-8
etag:W/\"fc4d2de1daa98a975391cab2c53695f0e40b4a06e1ba2c057a879377cc012f4d\"
x-content-type-options:nosniff
x-frame-options:deny
x-xss-protection:1;mode=block
x-github-request-id:CB0A:2D507C:B7EC3A:CD9F98:66390413
content-encoding:gzip
accept-ranges:bytes
source-age:0
content-length:3074

magreenblatt commented 4 months ago

With --disable-request-handling-for-testing the |credentials_mode| is kSameOrigin instead of kInclude, which then passes the CheckAccess check.

The problem appears to be the logic here that converts kSameOrigin to kInclude for fetch requests. This was part of the changes to fix issue #3596.

An identical |credentials_mode| modification is happening in CorsURLLoader::StartNetworkRequest, however it's then being reset to the original value (kSameOrigin) a bit later in the same method.

chromiumembedded / cef

GitHub's "Download raw file" doesn't work with CORS error #3675