Sec-Fetch-Mode and blocked CORS

google-chrome cors http-status-code-400 sec-fetch-site sec-fetch-mode
Benjamin E. picture Benjamin E. · Sep 19, 2019 · Viewed 12.2k times · Source

So I have the same website making the same request to the same server on (1) Chrome 76 and (2) Chrome 77 from different networks and computers.

One request has (1) Sec-Fetch-Mode: no-cors, Sec-Fetch-Site: cross-site and the other one (2) Sec-Fetch-Mode: cors, Sec-Fetch-Site: same-site. The one with no-cors fails with a 400 to a C# Web API endpoint with CORS enabled (for years and thousands of different users on all kinds of devices).

What is going on? There is talk of a Chrome bug not sending that header for pre-flight, but there it is and set to no-cors.

Security setting or bug in Chrome? Fixable server-side or front-end-side?

This is sent by an XMLHttpRequest, not the new Fetch-API.

Answer

Related questions

Origin <origin> is not allowed by Access-Control-Allow-Origin

XMLHttpRequest cannot load http://localhost:8080/api/test. Origin http://localhost:3000 is not allowed by Access-Control-Allow-Origin. I read about cross domain ajax requests, and understand the underlying security issue. In my case, 2 servers are running locally, and like to enable cross …

Read More
Does --disable-web-security Work In Chrome Anymore?

I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not work on Chrome 28. I haven't used it since …

Read More
Chrome cancels CORS XHR upon HTTP 302 redirect

It looks like according to the CORS Spec, GET and POST requests should transparently follow 302 redirects. But Chrome is canceling my request. Here's the JS that does the request: var r = new XMLHttpRequest(); r.open('GET', 'https://dev.mysite.com/…

Read More