I set max-age in Cache-Control header, but every time when I reload the webpage, it just goes out and fetches the resource again, following is an example request and response headers:
Request Headers
:authority: mydomain.com
:method: GET
:path: /.well-known/openid-configuration
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en
cache-control: max-age=0 // I have no idea why this is sent in request by chrome
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Response Headers
access-control-allow-credentials: true
cache-control: public, s-maxage=2678400, max-age=14400, immutable
cf-cache-status: DYNAMIC
cf-ray: 6e7465234fc16c30-SIN
content-encoding: br
content-type: application/json; charset=utf-8
date: Sat, 05 Mar 2022 16:58:12 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dSVocqHdnD4mopGV2L7pD08hRF3MZbpmBAsNHWm2eBznl15JNgOU7bkNcBn4qgoszBpGpGoCBPSbgCLWq796dv0jta9Ajlwq0BCEyW55h3Q2NO7mfQuz8cABZLAgWam4"}],"group":"cf-nel","max_age":604800}
server: cloudflare
vary: Origin, Accept-Encoding
Related
I am trying to read a http post request data using Chrome developer tools but both payload and response is encoded instead of Json format.
request headers:
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,cy;q=0.8,fa;q=0.7,tr;q=0.6
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 88
Content-Type: application/json
Host: 192.168.88.11
Origin: http://192.168.88.11
Pragma: no-cache
Referer: http://192.168.88.11/?16550159
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
response headers:
Connection: keep-alive
Content-Type: text/html
Date: Sun, 12 Jun 2022 09:15:28 GMT
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
request payload
LyZJQwGM78nstubJ5ZHF63GzcsNSIli+ntpDXOkrmPHachPL9WQaCWc6DLLaoQ8WHSch4zCLwQvj7jE745KrHQ==
How can I see this payload in Json format?
I have the following setup:
Webserver 1 https://localhost:8888
Webserver 2 https://localhost:9005
Webserver 3 https://localhost:9006
I open https://localhost:8888 from a Web browser and enter the following JS code.
(async () => {
const endpointId = '1d60eb5195725648';
const continueUrl = 'https://localhost:9006/'
const signinUrl = new URL('https://localhost:9005/_login');
signinUrl.searchParams.set('continue', continueUrl);
signinUrl.searchParams.set('endpoint', endpointId);
const response = await fetch(signinUrl.toString(), {
credentials: 'include',
headers: {
'Authorization': `Bearer ${gapi.auth.getToken().access_token}`,
},
});
})();
I'm getting this error in my Chrome Browser Version 102.0.5005.115
Access to fetch at 'https://localhost:9006/?TOKEN=0<Truncated>c&endpoint=1d60eb5195725648' (redirected from 'https://localhost:9005/_login?continue=https%3A%2F%2Flocalhost%3A9006%2F&endpoint=1d60eb5195725648') from origin 'https://localhost:8888' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://localhost:8888' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Looks like Origin field is correct according to the info in Headers. What am I missing?
(I truncated Token to improve readability)
Requests:
Request URL: https://localhost:9005/_login?continue=https%3A%2F%2Flocalhost%3A9006%2F&endpoint=1d60eb5195725648
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: [::1]:9005
Referrer Policy: origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Headers: Proxy-Authorization
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: https://localhost:8888
Content-Length: 0
Date: Sun, 12 Jun 2022 02:47:09 GMT
--
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:9005
Origin: https://localhost:8888
Pragma: no-cache
Referer: https://localhost:8888/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Request URL: https://localhost:9005/_login?continue=https%3A%2F%2Flocalhost%3A9006%2F&endpoint=1d60eb5195725648
Request Method: GET
Status Code: 302 Found
Remote Address: [::1]:9005
Referrer Policy: origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:8888
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 360
Content-Type: text/html; charset=utf-8
Date: Sun, 12 Jun 2022 02:47:09 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Location: https://localhost:9006/?TOKEN=00cfdab4e480656ed7d71b3e58df42fe5422d85d33118a5af5fb7cc66f2d81330b46740ccbca4927ecfe841e751f0de72fdf53c4eb7d66b7c5ab857e33c6beaa270950fe0c49047fd5260db3120731d0abbfe3be1a0d316db4b0754610c81e2b070cea24e46e0e5ef76937c65832ef7c315b452b846e87f59be3124478cee49045162c&endpoint=1d60eb5195725648
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Authorization: Bearer ya29.a0ARrdaM8mfOksOCl6l4O13z5PQv1cUVgKDKWgbo_rNXDL_Fw_-aedVVJdAFOSYByUjEy1WYrAKoik0KHx_c69aCXZcuAXbYedYkZRtDb5Y3Bz98eqjrOBjT0XrWspWdGNqRvsq_L_rDERdnsUFDFKCNiFCHV4sg
Cache-Control: no-cache
Connection: keep-alive
Cookie: _ga=GA1.1.1057744305.1654277711; _gid=GA1.1.1514740287.1654641546; _gat=1
Host: localhost:9005
Origin: https://localhost:8888
Pragma: no-cache
Referer: https://localhost:8888/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Request URL: https://localhost:9006/?TOKEN=00cfdab4e480656ed7d71b3e58df42fe5422d85d33118a5af5fb7cc66f2d81330b46740ccbca4927ecfe841e751f0de72fdf53c4eb7d66b7c5ab857e33c6beaa270950fe0c49047fd5260db3120731d0abbfe3be1a0d316db4b0754610c81e2b070cea24e46e0e5ef76937c65832ef7c315b452b846e87f59be3124478cee49045162c&endpoint=1d60eb5195725648
Referrer Policy: origin
Provisional headers are shown
Learn more
Referer: https://localhost:8888/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
I write a simple code:
<?php
echo "<h1>1233422</h1>";
?>
<html>
<img src="screen.png"/>
</html>
there is an image in the html, but when I refresh the browser page the png image is 200.
theoretically the image response status should be 304, why there is 200?
Two times request's Response Header are:
HTTP/1.1 200 OK
Content-Type: image/png
server: PhpStorm 10.0.1
date: Fri, 07 Dec 2018 03:35:42 GMT
cache-control: private, must-revalidate
last-modified: Fri, 07 Dec 2018 03:34:56 GMT
content-length: 11437
the second request Headers:
GET /test03-hante/screen.png HTTP/1.1
Host: localhost:63342
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://localhost:63342/test03-hante/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: wp-settings-time-1=1539853185; Webstorm-b87204fd=531be1b1-a109-47c6-97d9-4dd7b886ebde
you see, there is no If-Modified-Since and If-Non-Match params, why?
In browser refresh, HTTP image response status is "200 (cache)" because in refresh the image loaded from your browser cache.
You can learn more from this answer: https://stackoverflow.com/a/1665097/6678086
I am using swagger to post APi which works fine, but when I post it from react jsm that cause 405 issue.
Fiddler appears the RAW information for swagger as following:
POST http://localhost:7100/api/test/submit?guid=17327026-4348-4ce9-aceb-5774c3a724bf HTTP/1.1
Host: localhost:7100
Connection: keep-alive
Content-Length: 14
Origin: http://localhost:7100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://localhost:7100/swagger/ui/index
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-US;q=0.8,zh;q=0.6,zh-CN;q=0.4
Cookie: ASP.NET_SessionId=yzdydpdimqvgpvejykzjqqqb; .ASPXAUTH=dWLGc_XQvl3qTNrEJXsRyk3w-tXBSFeXKC0bIUDzLDLFJi5kbSAt_hcJXQs0-pfz7uVm-VJ27ZGAbN8eErCNV-Wozn3D1ZbHD7ONNN5VCMjT_Joyz_1aIcTZLR401s0TtC4Br1sRlerv0zX4F4xnDLhrIm5YKkGfZj2aZzDgc-KjNPVWY1SEC6k2XqPq54vo9_HUvudihHGlneNx1n2JlodvFxAeYudKnUSBRWpp2rRAx94uF7KmmP5BQoTmBTTq1qKSv98YiPToicePFR32d9yk1Uw1qcFrnkKD2zKOCuJByNgCLN_eC5dOmdLKfPCekciEJ16KfeYg8XeApIf13vCrtGOy-L2EXibWuEjUjKCrUy8sfYTGNZbxDffTg9gNOn7-nfyR5hKLYDM0CxfmENV7S0ExTSFyGhsR5aqqB3oXq3A_i8ENabgGMy_tFyor06S7_vrUUcDlS2hFgsxWzgMrRUdVIlohHK2-slPdbhwuUKIZXKKiSQijwH0RskwF-l8RyVe_0VCcCVipk4MXtncDvrubmEW09LWeOycyc0wc1BmMHL9AATpBHA6WBNLEaMGS9-x-RhFC5YNJW1KtetmlXiaKmiX9L-2wWhVRgjlhmfjtRPjxlVvW1GxyeKC-JOlSPnY6DInNM-qa2dcZjdaoffdnLBvzKTHkJNwzUSZw8fN-Vz6SVmURMtpEQAKmxloNvw
"test working"
for post from react as following:
OPTIONS http://localhost:7100/api/test/submit?guid=17327026-4348-4CE9-ACEB-5774C3A724BF HTTP/1.1
Host: localhost:7100
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:3000/?testId=17327026-4348-4ce9-aceb-5774c3a724bf
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-US;q=0.8,zh;q=0.6,zh-CN;q=0.4
I believe something wrong in following fetch post function, is there any chance to fix it, then the RAW information can be same as first one.
onFormSubmit(Result) {
fetch("http://localhost:7100/api/test/submit?guid=" + "17327026-4348-4CE9-ACEB-5774C3A724BF",
{
method: 'POST',
// headers: {'Content-Type':'application/x-www-form-urlencoded'},
headers: {'Content-Type':'application/json'},
// contentType: 'application/json; charset=utf-8',
// body: JSON.stringify(result)
body: "test working"
})
.then((response) => {
console.log(response.ok ? 'success' : 'error');
})
.catch(function (error) {
console.log('catch error');
});
}
This is a CORS Issue You need to allow requests comming from http://localhost:3000 in you server.
I am having trouble with Chromium-based browsers and CORS requests that
include 302 redirects. More specifically, I am having trouble with Chromium
versions 34-42 inclusive; 43 and later works, and it seems 33 and earlier
versions worked as well (I didn't test too far past 33, 28 worked).
My XHR request uses withCredentials=true, so Access-Control-Allow-Origin="*"
is not allowed; the server must reply with an Access-Control-Allow-Origin
header that echoes the incoming request's Origin header.
After receiving the first 302, Chromium 43 and later sends "Origin: null" as
part of the redirected request, and accepts 'Access-Control-Allow-Origin: null"
in response (as does Firefox).
The Chromium series of 34-42 all send the host name as Origin for all requests,
and several issues from this time indicate that CORS redirects were only
supported with Access-Control-Allow-Origin set to "*", and that "the original
XHR must not have allow-credentials set to true", example:
https://code.google.com/p/chromium/issues/detail?id=154967
I am hoping this is a misconception, and there is something as an app
developer I can do on the client and/or server to coerce those versions to
not cancel the redirect, or failing that, ideas for a workaround.
Version 33 & earlier sent the entire host name for every request, and the full
roundtrip works.
One possibility for a workaround I have been experimenting with stems from the
fact that, I actually do not need withCredentials=true for the cross-domain
request, I only need it for the redirect back to the origin host to exchange
cookie-based authentication for an access_token, but I could not find a way to
get the client to send a cookie when following the 302 to itself unless it was
also sent with the original cross-domain request.
To illustrate, here are excerpts from a chrome://net-internals/#events log for
a successful request using Chrome 43:
[img src]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg?timestamp=1437075435614 HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1568 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Content-Type: text/html; charset=utf-8
Location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437075435614
[get cross-domain access token]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437075435614 HTTP/1.1
Host: qa-app.example.com
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1762 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, X-HTTP-Method-Override, X-Requested-With
Access-Control-Allow-Origin: null
Content-Type: text/html; charset=utf-8
Location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437075435614&access_token=L221i4rC5R8NY2AbP4lIxo7apr6HlIHttKroKkQi3tzUSaL7NE7aoBcLUI432Mast8b/NH7ksFfRhsCOhK7P86Lc4C9GlkRn%2Bze/UBJeG8gbRVlnxdjdzBFfp9kAbYR9onDM9b1bUdRaV1q19it8OL3aBzThrmng1E%2BMmT%2BVyK0qXLqQ6yA/tHfrgyC9XwFbKqW6BQSpLOyVOPHZZ4t3dgzimTD9HJCbLUUjZt7nf7iCAOBcaR9CiUH8vlcP4wkOmXk3AoDslYu6IUZtRHrSs7OplBtTXgmzBlSaum%2BccFzdNu5TuH%2BQkmp2QQHErwRJkUNN9S5ZcRzlXdUGg8%2B698Wh5zYFVa%2B/pEfykkf%2BAuqKjbVicGq%2BgxCYOCuqe4YJU/GPMHsBC6gvVYFmtkDaG4za1N4fvbmBb9u%2BHHZNdW0kvj55N9QgJ86lHZjddvfEivET0TVTo1u0u6Wp/TM4EMXLtMK3urBpEAMWBT9PlE8%3D
[url redirection service adds cloudfront signature]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437075435614&access_token=L221i4rC5R8NY2AbP4lIxo7apr6HlIHttKroKkQi3tzUSaL7NE7aoBcLUI432Mast8b/NH7ksFfRhsCOhK7P86Lc4C9GlkRn%2Bze/UBJeG8gbRVlnxdjdzBFfp9kAbYR9onDM9b1bUdRaV1q19it8OL3aBzThrmng1E%2BMmT%2BVyK0qXLqQ6yA/tHfrgyC9XwFbKqW6BQSpLOyVOPHZZ4t3dgzimTD9HJCbLUUjZt7nf7iCAOBcaR9CiUH8vlcP4wkOmXk3AoDslYu6IUZtRHrSs7OplBtTXgmzBlSaum%2BccFzdNu5TuH%2BQkmp2QQHErwRJkUNN9S5ZcRzlXdUGg8%2B698Wh5zYFVa%2B/pEfykkf%2BAuqKjbVicGq%2BgxCYOCuqe4YJU/GPMHsBC6gvVYFmtkDaG4za1N4fvbmBb9u%2BHHZNdW0kvj55N9QgJ86lHZjddvfEivET0TVTo1u0u6Wp/TM4EMXLtMK3urBpEAMWBT9PlE8%3D HTTP/1.1
Host: media-qa.example.com
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1568 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: null
Content-Type: text/html; charset=utf-8
Location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437075499&Signature=RpCVix5lcF5~Arah0WxhSoB3SN7ZfxXIwnaL8EOdlslIz5c9Ycic1wF~sjwTnWD5fxS~SBhexIz37oqjHjED3MTPiXAmuPjO1mQ-V8ACc8N-geWBIvMQRw9kCjCRmtquSs7TynaFqopv0BpQKH2G1xVdfoDaOZZWso7pXnpR50c2NdyDD-WMZNLKJ657Dj4-wCL8ZJdUPOgiXsfcxM1AZGy5P034SCL8JB8ZyEh1bUDszLkQa8lIpsy08mt9t8ZjFcR2i6bqBZNZOquT3jbOEy8VprL4lmtyOmVJaNTaBevZC6rQ6CM~jd~Ya2FockK5bNGYxM043OU71NExS0lHTg__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ
Set-Cookie: [349 bytes were stripped]
[finally, get cloudfront image]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437075499&Signature=RpCVix5lcF5~Arah0WxhSoB3SN7ZfxXIwnaL8EOdlslIz5c9Ycic1wF~sjwTnWD5fxS~SBhexIz37oqjHjED3MTPiXAmuPjO1mQ-V8ACc8N-geWBIvMQRw9kCjCRmtquSs7TynaFqopv0BpQKH2G1xVdfoDaOZZWso7pXnpR50c2NdyDD-WMZNLKJ657Dj4-wCL8ZJdUPOgiXsfcxM1AZGy5P034SCL8JB8ZyEh1bUDszLkQa8lIpsy08mt9t8ZjFcR2i6bqBZNZOquT3jbOEy8VprL4lmtyOmVJaNTaBevZC6rQ6CM~jd~Ya2FockK5bNGYxM043OU71NExS0lHTg__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ HTTP/1.1
Host: gbbrsh.cloudfront.net
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Content-Length: 48776
Access-Control-Allow-Origin: null
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Vary: Origin
And here is an unsuccessful log using version 42, note that all the redirects
using 43 above sent "Origin: null", but 42 sends the host name (which the
server replies with), and the client cancels the request:
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg?timestamp=1437074740624 HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1571 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437074740624
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437074740624 HTTP/1.1
Host: qa-app.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1769 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, X-HTTP-Method-Override, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437074740624&access_token=JbXemck/weq2TjoVtgwuXDZB1GgmBqlDix3z5WfsWFlf2aZVmCud99wtAU%2BBErVxm6Lk1MRP1ubM/bf59URPs9uXMLYC%2Bnk6lAYQRUBhO3UmBnZk967W/5f9/1YnfRHQe1Y9fGRSkddQJdzdOwkMAvYSCw%2BN1ofkrb4tYKz9OWja1WRuim82Mt5uzdb5eXVLUnlCCgqt9LjN6yDHPm7UjMwQMG8V0kFPIkL4ZGb/5WfXXa2NJY1Qq3GbFGFQID49vw/XDP6B9q9kRIL4D/NuLUocRUvw5iHZciqygpnJl1GaRcVr%2B5%2BBbKBw3c0Gou4X/ojiewnds2pYPPxNGKploy88l4GcjpGw%2BXmDiP4wUgCojhRporBjp2y87AnaY1k6BSI1j9xHxiSnjXT7pMsyXpBfMYCoAwV/w1Fh1E/Tu1ygXJhaOHAx%2B19BxOIYPWFJVw3djggbkN1jRo%2Bde%2BolGjfEXtFarwfx4nyCeNyYAd0%3D
Vary: Accept-Encoding
URL_REQUEST_DELEGATE [dt=0]
+URL_REQUEST_DELEGATE [dt=3]
DELEGATE_INFO [dt=3]
--> delegate_info = "AsyncResourceHandler"
-URL_REQUEST_DELEGATE
CANCELLED
As I mentioned, if you go back to version 33, it works even though the client
was sending the host name in the Origin header for all requests:
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg?timestamp=1437076851710 HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1550 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437076851710
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437076851710 HTTP/1.1
Host: qa-app.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1763 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, X-HTTP-Method-Override, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437076851710&access_token=C30mMVgoZSZtkpm3vgMNfLZEpkKT//%2BiZK5gbR39dvPfIaezfjNMocXJ0UCCH10jcE0yvOIrT8yISHerVvGZlGPy2rr2YwXkh1IsYcl0uNGYOP2bDYyz1cJNAwnRYZ4qS0uctDQiKNGZi3oC10TdIwzhz8aaOFAosRFEjPqrT553aXjpZr2SE4Z73TtU2pd%2B7ILICARbjp0r9yhDAAauJgQHkBAkcLVvW5TARQBeRR1OtXbf0CjN764EZ/2GEqCRhvo0rtVUQGUVpt/Sur9yFYUh1b/rFOZJ0o/Oj8rEUEg2c8p/O1ZrpN8emKMB%2BVWLXG97DPO6QpQmzGvaYCZsUDwGfvPNJ8wCtXEdQF0RzQMv3HG71StD9lK30BB46sDTuP24w7tH4PxqjY0cWBUpaMMz/mKLWuSWY6lerx7ibB7Gp%2B9OsclEHeaxKwFr%2BD63RFPmTwBtHKOF/PjIo%2BbmoxJZ07eJYAEYXDtfoLmFvM8%3D
Vary: Accept-Encoding
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437076851710&access_token=C30mMVgoZSZtkpm3vgMNfLZEpkKT//%2BiZK5gbR39dvPfIaezfjNMocXJ0UCCH10jcE0yvOIrT8yISHerVvGZlGPy2rr2YwXkh1IsYcl0uNGYOP2bDYyz1cJNAwnRYZ4qS0uctDQiKNGZi3oC10TdIwzhz8aaOFAosRFEjPqrT553aXjpZr2SE4Z73TtU2pd%2B7ILICARbjp0r9yhDAAauJgQHkBAkcLVvW5TARQBeRR1OtXbf0CjN764EZ/2GEqCRhvo0rtVUQGUVpt/Sur9yFYUh1b/rFOZJ0o/Oj8rEUEg2c8p/O1ZrpN8emKMB%2BVWLXG97DPO6QpQmzGvaYCZsUDwGfvPNJ8wCtXEdQF0RzQMv3HG71StD9lK30BB46sDTuP24w7tH4PxqjY0cWBUpaMMz/mKLWuSWY6lerx7ibB7Gp%2B9OsclEHeaxKwFr%2BD63RFPmTwBtHKOF/PjIo%2BbmoxJZ07eJYAEYXDtfoLmFvM8%3D HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1550 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437076916&Signature=WBDGSQXer-zAREYgiD1~DA8pUaNUBha4WrUFt-WI5Soh4Z-5ayw35UocOG7DuC9FOnAQAeU5Nvp8hKdofDB--ic4aMH0e~LmHaJ38GtP-lHnyyfQDpjJOEmGM2GY3sB0KG7qa8~eTXX9jKDJTCG9Hkf0EpievuWwiXEKGYaSbe0tkR4CLyhND3sIDJbFGCQQZ7NmhMB-3vOsqDKYKKz9SebuiqO0qbL8SvqBkMEiufXCF2MriR4hVDEjFQssE3ysBbhiMlkaINAeOkEmiZEAjnhB-ncN31Lvy4Lo1LxiyCqKH9QwPOpa6ukK0WrYXWwiTi2VRAaxSjm-xgbGiIArmA__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437076916&Signature=WBDGSQXer-zAREYgiD1~DA8pUaNUBha4WrUFt-WI5Soh4Z-5ayw35UocOG7DuC9FOnAQAeU5Nvp8hKdofDB--ic4aMH0e~LmHaJ38GtP-lHnyyfQDpjJOEmGM2GY3sB0KG7qa8~eTXX9jKDJTCG9Hkf0EpievuWwiXEKGYaSbe0tkR4CLyhND3sIDJbFGCQQZ7NmhMB-3vOsqDKYKKz9SebuiqO0qbL8SvqBkMEiufXCF2MriR4hVDEjFQssE3ysBbhiMlkaINAeOkEmiZEAjnhB-ncN31Lvy4Lo1LxiyCqKH9QwPOpa6ukK0WrYXWwiTi2VRAaxSjm-xgbGiIArmA__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ HTTP/1.1
Host: gbbrsh.cloudfront.net
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://qa-app.example.com
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Vary: Origin