Below are the request headers I copied from chrome. How do I pass these values to response = requests.get(url, headers = headers) so that I don't get any error. Should all the keys and values be made strings by enclosing within '' ?
:authority: portal.grab.com
:method: POST
:path: /foodweb/v2/search
:scheme: https
accept: application/json, text/plain, /
accept-encoding: gzip, deflate, br
accept-language: en
content-length: 87
content-type: application/json;charset=UTF-8
origin: https://food.grab.com
referer: https://food.grab.com/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
x-country-code: PH
x-gfc-country: PH
x-grab-web-app-version: ~k5VPZk5KBtLKJOP7fLbR
x-recaptcha-token: 03AGdBq24a8dFVYhN75ZFSZR6MSzf8anLJEc-c6xCFkUYi87f5FQLlYV8NeHspOYwqJYS1ypTDvpPVU4FG6NbvkwbwHgHCxAOaiHi8sLtnraXL78xszl-HgySw_yBGCadmL4I9TmnDL8HITA4ug4FZ-tITOWIE9AI1L2OWAgFJC25r663aHtF16pJGLJovE4D1IVm2NziSUhWNdlv9aSxym4s1dGhM9YTu0w2FNCfiHqLURKs-sk4GLQ-O1Xv2xuTRuvBiDxXZYisKKt0nnoMpov5CPmwzFVaQGFXVk5xLz05bsbsdN7gf4DcoGD8i1yM3vbNMld-gqgDJ6DhLX3IY6NxJ_2QdH-dQctu4OCB9oPUursOAFs6ph8Xqf_kL3XQLzdO2qRMhU9wVlmAocV8lm8DTF0Urxp1JkRY6X7SeKDeQsX0KX2vO3ZFFjfYb19Gqpts5CQCGJO5j
There is an example how to format headers in Python requests documentation: Custom Headers so in your case it should looks like this:
headers = {
'accept': 'application/json, text/plain, /',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'en',
'content-length': '87',
'content-type': 'application/json;charset=UTF-8',
'origin': 'https://food.grab.com',
'referer': 'https://food.grab.com/',
'sec-ch-ua': '"Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"macOS"',
'sec-fetch-dest': 'empty',
'sec-fetch-mode': 'cors',
'sec-fetch-site': 'same-site',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36',
'x-country-code': 'PH',
'x-gfc-country': 'PH',
'x-grab-web-app-version': '~k5VPZk5KBtLKJOP7fLbR',
'x-recaptcha-token': '03AGdBq24a8dFVYhN75ZFSZR6MSzf8anLJEc-c6xCFkUYi87f5FQLlYV8NeHspOYwqJYS1ypTDvpPVU4FG6NbvkwbwHgHCxAOaiHi8sLtnraXL78xszl-HgySw_yBGCadmL4I9TmnDL8HITA4ug4FZ-tITOWIE9AI1L2OWAgFJC25r663aHtF16pJGLJovE4D1IVm2NziSUhWNdlv9aSxym4s1dGhM9YTu0w2FNCfiHqLURKs-sk4GLQ-O1Xv2xuTRuvBiDxXZYisKKt0nnoMpov5CPmwzFVaQGFXVk5xLz05bsbsdN7gf4DcoGD8i1yM3vbNMld-gqgDJ6DhLX3IY6NxJ_2QdH-dQctu4OCB9oPUursOAFs6ph8Xqf_kL3XQLzdO2qRMhU9wVlmAocV8lm8DTF0Urxp1JkRY6X7SeKDeQsX0KX2vO3ZFFjfYb19Gqpts5CQCGJO5j'
}
Related
I have the following setup:
Webserver 1 https://localhost:8888
Webserver 2 https://localhost:9005
Webserver 3 https://localhost:9006
I open https://localhost:8888 from a Web browser and enter the following JS code.
(async () => {
const endpointId = '1d60eb5195725648';
const continueUrl = 'https://localhost:9006/'
const signinUrl = new URL('https://localhost:9005/_login');
signinUrl.searchParams.set('continue', continueUrl);
signinUrl.searchParams.set('endpoint', endpointId);
const response = await fetch(signinUrl.toString(), {
credentials: 'include',
headers: {
'Authorization': `Bearer ${gapi.auth.getToken().access_token}`,
},
});
})();
I'm getting this error in my Chrome Browser Version 102.0.5005.115
Access to fetch at 'https://localhost:9006/?TOKEN=0<Truncated>c&endpoint=1d60eb5195725648' (redirected from 'https://localhost:9005/_login?continue=https%3A%2F%2Flocalhost%3A9006%2F&endpoint=1d60eb5195725648') from origin 'https://localhost:8888' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://localhost:8888' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Looks like Origin field is correct according to the info in Headers. What am I missing?
(I truncated Token to improve readability)
Requests:
Request URL: https://localhost:9005/_login?continue=https%3A%2F%2Flocalhost%3A9006%2F&endpoint=1d60eb5195725648
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: [::1]:9005
Referrer Policy: origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Headers: Proxy-Authorization
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: https://localhost:8888
Content-Length: 0
Date: Sun, 12 Jun 2022 02:47:09 GMT
--
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:9005
Origin: https://localhost:8888
Pragma: no-cache
Referer: https://localhost:8888/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Request URL: https://localhost:9005/_login?continue=https%3A%2F%2Flocalhost%3A9006%2F&endpoint=1d60eb5195725648
Request Method: GET
Status Code: 302 Found
Remote Address: [::1]:9005
Referrer Policy: origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:8888
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 360
Content-Type: text/html; charset=utf-8
Date: Sun, 12 Jun 2022 02:47:09 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Location: https://localhost:9006/?TOKEN=00cfdab4e480656ed7d71b3e58df42fe5422d85d33118a5af5fb7cc66f2d81330b46740ccbca4927ecfe841e751f0de72fdf53c4eb7d66b7c5ab857e33c6beaa270950fe0c49047fd5260db3120731d0abbfe3be1a0d316db4b0754610c81e2b070cea24e46e0e5ef76937c65832ef7c315b452b846e87f59be3124478cee49045162c&endpoint=1d60eb5195725648
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Authorization: Bearer ya29.a0ARrdaM8mfOksOCl6l4O13z5PQv1cUVgKDKWgbo_rNXDL_Fw_-aedVVJdAFOSYByUjEy1WYrAKoik0KHx_c69aCXZcuAXbYedYkZRtDb5Y3Bz98eqjrOBjT0XrWspWdGNqRvsq_L_rDERdnsUFDFKCNiFCHV4sg
Cache-Control: no-cache
Connection: keep-alive
Cookie: _ga=GA1.1.1057744305.1654277711; _gid=GA1.1.1514740287.1654641546; _gat=1
Host: localhost:9005
Origin: https://localhost:8888
Pragma: no-cache
Referer: https://localhost:8888/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Request URL: https://localhost:9006/?TOKEN=00cfdab4e480656ed7d71b3e58df42fe5422d85d33118a5af5fb7cc66f2d81330b46740ccbca4927ecfe841e751f0de72fdf53c4eb7d66b7c5ab857e33c6beaa270950fe0c49047fd5260db3120731d0abbfe3be1a0d316db4b0754610c81e2b070cea24e46e0e5ef76937c65832ef7c315b452b846e87f59be3124478cee49045162c&endpoint=1d60eb5195725648
Referrer Policy: origin
Provisional headers are shown
Learn more
Referer: https://localhost:8888/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
I set max-age in Cache-Control header, but every time when I reload the webpage, it just goes out and fetches the resource again, following is an example request and response headers:
Request Headers
:authority: mydomain.com
:method: GET
:path: /.well-known/openid-configuration
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en
cache-control: max-age=0 // I have no idea why this is sent in request by chrome
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Response Headers
access-control-allow-credentials: true
cache-control: public, s-maxage=2678400, max-age=14400, immutable
cf-cache-status: DYNAMIC
cf-ray: 6e7465234fc16c30-SIN
content-encoding: br
content-type: application/json; charset=utf-8
date: Sat, 05 Mar 2022 16:58:12 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dSVocqHdnD4mopGV2L7pD08hRF3MZbpmBAsNHWm2eBznl15JNgOU7bkNcBn4qgoszBpGpGoCBPSbgCLWq796dv0jta9Ajlwq0BCEyW55h3Q2NO7mfQuz8cABZLAgWam4"}],"group":"cf-nel","max_age":604800}
server: cloudflare
vary: Origin, Accept-Encoding
I'm trying to upload binary file (to Amazon S3) from my localhost Vue page, using Amazon API Gateway with CORS enabled.
Actual POST Request have issued after Preflight Request issued.
And file upload have succeed.
But the POST Request have caught error bellow.
I don't know Why got the error?
Chrome(Version 79.0.3945.79)
got message
Access to XMLHttpRequest at 'https://XXXXXXXXXXX.execute-api.ap-northeast-1.amazonaws.com/dev/upload' from origin 'http://192.168.0.20:8080' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
AXIOS ERROR: Error: Network Error
at createError (createError.js?2d83:16)
at XMLHttpRequest.handleError (xhr.js?b50d:81)
Source code
async upload() {
console.log("file:", this.file);
const axiosConfig = {
headers: {
"Content-Type": "image/png"
}
};
axios
.post("https://XXXXXXXXXX.execute-api.ap-northeast-1.amazonaws.com/dev/upload", this.file, axiosConfig)
.then(res => {
console.log("RESPONSE RECEIVED: ", res);
})
.catch(err => {
console.log("AXIOS ERROR: ", err);
});
Header(Preflight Request)
Request
:authority: XXXXXXXXXX.execute-api.ap-northeast-1.amazonaws.com
:method: OPTIONS
:path: /dev/upload
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ja;q=0.8
access-control-request-headers: content-type
access-control-request-method: POST
origin: http://192.168.0.20:8080
referer: http://192.168.0.20:8080/
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36
Response
access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
access-control-allow-methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT
access-control-allow-origin: *
content-length: 0
content-type: application/json
date: Fri, 13 Dec 2019 12:39:40 GMT
status: 200
via: 1.1 88c2e4442XXX3f0dXXX7df6fcXXX37ff.cloudfront.net (CloudFront)
x-amz-apigw-id: EpH19E9sNjMFhOg=
x-amz-cf-id: PEXXXH0x8_mlAspmv-xhi3X3XXXn_LSBswhXXXyqnCGZmVPkXXXYhw==
x-amz-cf-pop: NRT51-C1
x-amzn-requestid: 47XXc915-3b44-4XX7-959a-3XXX62150b3d
x-cache: Miss from cloudfront
Header(Actual POST)
Request
:authority: XXXXXXXXXX.execute-api.ap-northeast-1.amazonaws.com
:method: POST
:path: /dev/upload
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ja;q=0.8
content-length: 6849
content-type: image/png
origin: http://192.168.0.20:8080
referer: http://192.168.0.20:8080/
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36
Response
content-length: 47
content-type: application/json
date: Fri, 13 Dec 2019 12:39:40 GMT
status: 200
via: 1.1 88c2e44426XX3f0db837df6fc92437ff.cloudfront.net (CloudFront)
x-amz-apigw-id: EpH1_EeptjMFXqw=
x-amz-cf-id: XXqDis00oJqvh8wY-a0sugE6tuhwPHiJLs7ucXX5OdPC0uoCql7-nQ==
x-amz-cf-pop: NRT51-C1
x-amzn-requestid: 9XXX54a0-0a71-4cda-9d91-ae90a3322c9f
x-amzn-trace-id: Root=1-5XXX868c-fXXXa33dd82751efXXX547d;Sampled=0
x-cache: Miss from cloudfront
I solved it myself.
I don't know Why got the error?
Because Response header includes NO 'access-control-allow-origin'.
Browser could't read response body by CORB (Cross-Origin Read Blocking).
Added the header to response in Lambda function, it works.
s3.putObject({
Body: requestBody,
Bucket: "xxxxxx.com",
ContentType: "image/png",
Key: "uploadTest/logo.png"
})
.promise()
.then(result => {
const message = JSON.stringify(result);
callback(null, {
body: message,
statusCode: 200,
headers: {
"Access-Control-Allow-Origin": "*"
}
});
});
I am using swagger to post APi which works fine, but when I post it from react jsm that cause 405 issue.
Fiddler appears the RAW information for swagger as following:
POST http://localhost:7100/api/test/submit?guid=17327026-4348-4ce9-aceb-5774c3a724bf HTTP/1.1
Host: localhost:7100
Connection: keep-alive
Content-Length: 14
Origin: http://localhost:7100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://localhost:7100/swagger/ui/index
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-US;q=0.8,zh;q=0.6,zh-CN;q=0.4
Cookie: ASP.NET_SessionId=yzdydpdimqvgpvejykzjqqqb; .ASPXAUTH=dWLGc_XQvl3qTNrEJXsRyk3w-tXBSFeXKC0bIUDzLDLFJi5kbSAt_hcJXQs0-pfz7uVm-VJ27ZGAbN8eErCNV-Wozn3D1ZbHD7ONNN5VCMjT_Joyz_1aIcTZLR401s0TtC4Br1sRlerv0zX4F4xnDLhrIm5YKkGfZj2aZzDgc-KjNPVWY1SEC6k2XqPq54vo9_HUvudihHGlneNx1n2JlodvFxAeYudKnUSBRWpp2rRAx94uF7KmmP5BQoTmBTTq1qKSv98YiPToicePFR32d9yk1Uw1qcFrnkKD2zKOCuJByNgCLN_eC5dOmdLKfPCekciEJ16KfeYg8XeApIf13vCrtGOy-L2EXibWuEjUjKCrUy8sfYTGNZbxDffTg9gNOn7-nfyR5hKLYDM0CxfmENV7S0ExTSFyGhsR5aqqB3oXq3A_i8ENabgGMy_tFyor06S7_vrUUcDlS2hFgsxWzgMrRUdVIlohHK2-slPdbhwuUKIZXKKiSQijwH0RskwF-l8RyVe_0VCcCVipk4MXtncDvrubmEW09LWeOycyc0wc1BmMHL9AATpBHA6WBNLEaMGS9-x-RhFC5YNJW1KtetmlXiaKmiX9L-2wWhVRgjlhmfjtRPjxlVvW1GxyeKC-JOlSPnY6DInNM-qa2dcZjdaoffdnLBvzKTHkJNwzUSZw8fN-Vz6SVmURMtpEQAKmxloNvw
"test working"
for post from react as following:
OPTIONS http://localhost:7100/api/test/submit?guid=17327026-4348-4CE9-ACEB-5774C3A724BF HTTP/1.1
Host: localhost:7100
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:3000/?testId=17327026-4348-4ce9-aceb-5774c3a724bf
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-US;q=0.8,zh;q=0.6,zh-CN;q=0.4
I believe something wrong in following fetch post function, is there any chance to fix it, then the RAW information can be same as first one.
onFormSubmit(Result) {
fetch("http://localhost:7100/api/test/submit?guid=" + "17327026-4348-4CE9-ACEB-5774C3A724BF",
{
method: 'POST',
// headers: {'Content-Type':'application/x-www-form-urlencoded'},
headers: {'Content-Type':'application/json'},
// contentType: 'application/json; charset=utf-8',
// body: JSON.stringify(result)
body: "test working"
})
.then((response) => {
console.log(response.ok ? 'success' : 'error');
})
.catch(function (error) {
console.log('catch error');
});
}
This is a CORS Issue You need to allow requests comming from http://localhost:3000 in you server.
I am having trouble with Chromium-based browsers and CORS requests that
include 302 redirects. More specifically, I am having trouble with Chromium
versions 34-42 inclusive; 43 and later works, and it seems 33 and earlier
versions worked as well (I didn't test too far past 33, 28 worked).
My XHR request uses withCredentials=true, so Access-Control-Allow-Origin="*"
is not allowed; the server must reply with an Access-Control-Allow-Origin
header that echoes the incoming request's Origin header.
After receiving the first 302, Chromium 43 and later sends "Origin: null" as
part of the redirected request, and accepts 'Access-Control-Allow-Origin: null"
in response (as does Firefox).
The Chromium series of 34-42 all send the host name as Origin for all requests,
and several issues from this time indicate that CORS redirects were only
supported with Access-Control-Allow-Origin set to "*", and that "the original
XHR must not have allow-credentials set to true", example:
https://code.google.com/p/chromium/issues/detail?id=154967
I am hoping this is a misconception, and there is something as an app
developer I can do on the client and/or server to coerce those versions to
not cancel the redirect, or failing that, ideas for a workaround.
Version 33 & earlier sent the entire host name for every request, and the full
roundtrip works.
One possibility for a workaround I have been experimenting with stems from the
fact that, I actually do not need withCredentials=true for the cross-domain
request, I only need it for the redirect back to the origin host to exchange
cookie-based authentication for an access_token, but I could not find a way to
get the client to send a cookie when following the 302 to itself unless it was
also sent with the original cross-domain request.
To illustrate, here are excerpts from a chrome://net-internals/#events log for
a successful request using Chrome 43:
[img src]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg?timestamp=1437075435614 HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1568 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Content-Type: text/html; charset=utf-8
Location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437075435614
[get cross-domain access token]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437075435614 HTTP/1.1
Host: qa-app.example.com
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1762 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, X-HTTP-Method-Override, X-Requested-With
Access-Control-Allow-Origin: null
Content-Type: text/html; charset=utf-8
Location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437075435614&access_token=L221i4rC5R8NY2AbP4lIxo7apr6HlIHttKroKkQi3tzUSaL7NE7aoBcLUI432Mast8b/NH7ksFfRhsCOhK7P86Lc4C9GlkRn%2Bze/UBJeG8gbRVlnxdjdzBFfp9kAbYR9onDM9b1bUdRaV1q19it8OL3aBzThrmng1E%2BMmT%2BVyK0qXLqQ6yA/tHfrgyC9XwFbKqW6BQSpLOyVOPHZZ4t3dgzimTD9HJCbLUUjZt7nf7iCAOBcaR9CiUH8vlcP4wkOmXk3AoDslYu6IUZtRHrSs7OplBtTXgmzBlSaum%2BccFzdNu5TuH%2BQkmp2QQHErwRJkUNN9S5ZcRzlXdUGg8%2B698Wh5zYFVa%2B/pEfykkf%2BAuqKjbVicGq%2BgxCYOCuqe4YJU/GPMHsBC6gvVYFmtkDaG4za1N4fvbmBb9u%2BHHZNdW0kvj55N9QgJ86lHZjddvfEivET0TVTo1u0u6Wp/TM4EMXLtMK3urBpEAMWBT9PlE8%3D
[url redirection service adds cloudfront signature]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437075435614&access_token=L221i4rC5R8NY2AbP4lIxo7apr6HlIHttKroKkQi3tzUSaL7NE7aoBcLUI432Mast8b/NH7ksFfRhsCOhK7P86Lc4C9GlkRn%2Bze/UBJeG8gbRVlnxdjdzBFfp9kAbYR9onDM9b1bUdRaV1q19it8OL3aBzThrmng1E%2BMmT%2BVyK0qXLqQ6yA/tHfrgyC9XwFbKqW6BQSpLOyVOPHZZ4t3dgzimTD9HJCbLUUjZt7nf7iCAOBcaR9CiUH8vlcP4wkOmXk3AoDslYu6IUZtRHrSs7OplBtTXgmzBlSaum%2BccFzdNu5TuH%2BQkmp2QQHErwRJkUNN9S5ZcRzlXdUGg8%2B698Wh5zYFVa%2B/pEfykkf%2BAuqKjbVicGq%2BgxCYOCuqe4YJU/GPMHsBC6gvVYFmtkDaG4za1N4fvbmBb9u%2BHHZNdW0kvj55N9QgJ86lHZjddvfEivET0TVTo1u0u6Wp/TM4EMXLtMK3urBpEAMWBT9PlE8%3D HTTP/1.1
Host: media-qa.example.com
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1568 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: null
Content-Type: text/html; charset=utf-8
Location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437075499&Signature=RpCVix5lcF5~Arah0WxhSoB3SN7ZfxXIwnaL8EOdlslIz5c9Ycic1wF~sjwTnWD5fxS~SBhexIz37oqjHjED3MTPiXAmuPjO1mQ-V8ACc8N-geWBIvMQRw9kCjCRmtquSs7TynaFqopv0BpQKH2G1xVdfoDaOZZWso7pXnpR50c2NdyDD-WMZNLKJ657Dj4-wCL8ZJdUPOgiXsfcxM1AZGy5P034SCL8JB8ZyEh1bUDszLkQa8lIpsy08mt9t8ZjFcR2i6bqBZNZOquT3jbOEy8VprL4lmtyOmVJaNTaBevZC6rQ6CM~jd~Ya2FockK5bNGYxM043OU71NExS0lHTg__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ
Set-Cookie: [349 bytes were stripped]
[finally, get cloudfront image]
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437075499&Signature=RpCVix5lcF5~Arah0WxhSoB3SN7ZfxXIwnaL8EOdlslIz5c9Ycic1wF~sjwTnWD5fxS~SBhexIz37oqjHjED3MTPiXAmuPjO1mQ-V8ACc8N-geWBIvMQRw9kCjCRmtquSs7TynaFqopv0BpQKH2G1xVdfoDaOZZWso7pXnpR50c2NdyDD-WMZNLKJ657Dj4-wCL8ZJdUPOgiXsfcxM1AZGy5P034SCL8JB8ZyEh1bUDszLkQa8lIpsy08mt9t8ZjFcR2i6bqBZNZOquT3jbOEy8VprL4lmtyOmVJaNTaBevZC6rQ6CM~jd~Ya2FockK5bNGYxM043OU71NExS0lHTg__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ HTTP/1.1
Host: gbbrsh.cloudfront.net
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Content-Length: 48776
Access-Control-Allow-Origin: null
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Vary: Origin
And here is an unsuccessful log using version 42, note that all the redirects
using 43 above sent "Origin: null", but 42 sends the host name (which the
server replies with), and the client cancels the request:
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg?timestamp=1437074740624 HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1571 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437074740624
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437074740624 HTTP/1.1
Host: qa-app.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1769 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, X-HTTP-Method-Override, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437074740624&access_token=JbXemck/weq2TjoVtgwuXDZB1GgmBqlDix3z5WfsWFlf2aZVmCud99wtAU%2BBErVxm6Lk1MRP1ubM/bf59URPs9uXMLYC%2Bnk6lAYQRUBhO3UmBnZk967W/5f9/1YnfRHQe1Y9fGRSkddQJdzdOwkMAvYSCw%2BN1ofkrb4tYKz9OWja1WRuim82Mt5uzdb5eXVLUnlCCgqt9LjN6yDHPm7UjMwQMG8V0kFPIkL4ZGb/5WfXXa2NJY1Qq3GbFGFQID49vw/XDP6B9q9kRIL4D/NuLUocRUvw5iHZciqygpnJl1GaRcVr%2B5%2BBbKBw3c0Gou4X/ojiewnds2pYPPxNGKploy88l4GcjpGw%2BXmDiP4wUgCojhRporBjp2y87AnaY1k6BSI1j9xHxiSnjXT7pMsyXpBfMYCoAwV/w1Fh1E/Tu1ygXJhaOHAx%2B19BxOIYPWFJVw3djggbkN1jRo%2Bde%2BolGjfEXtFarwfx4nyCeNyYAd0%3D
Vary: Accept-Encoding
URL_REQUEST_DELEGATE [dt=0]
+URL_REQUEST_DELEGATE [dt=3]
DELEGATE_INFO [dt=3]
--> delegate_info = "AsyncResourceHandler"
-URL_REQUEST_DELEGATE
CANCELLED
As I mentioned, if you go back to version 33, it works even though the client
was sending the host name in the Origin header for all requests:
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg?timestamp=1437076851710 HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1550 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://qa-app.example.com/oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437076851710
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /oauth/authorize/?request_uri=https%3A//media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ%3D%3D.jpg%3Ftimestamp%3D1437076851710 HTTP/1.1
Host: qa-app.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1763 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, X-HTTP-Method-Override, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://media-qa.example.com/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437076851710&access_token=C30mMVgoZSZtkpm3vgMNfLZEpkKT//%2BiZK5gbR39dvPfIaezfjNMocXJ0UCCH10jcE0yvOIrT8yISHerVvGZlGPy2rr2YwXkh1IsYcl0uNGYOP2bDYyz1cJNAwnRYZ4qS0uctDQiKNGZi3oC10TdIwzhz8aaOFAosRFEjPqrT553aXjpZr2SE4Z73TtU2pd%2B7ILICARbjp0r9yhDAAauJgQHkBAkcLVvW5TARQBeRR1OtXbf0CjN764EZ/2GEqCRhvo0rtVUQGUVpt/Sur9yFYUh1b/rFOZJ0o/Oj8rEUEg2c8p/O1ZrpN8emKMB%2BVWLXG97DPO6QpQmzGvaYCZsUDwGfvPNJ8wCtXEdQF0RzQMv3HG71StD9lK30BB46sDTuP24w7tH4PxqjY0cWBUpaMMz/mKLWuSWY6lerx7ibB7Gp%2B9OsclEHeaxKwFr%2BD63RFPmTwBtHKOF/PjIo%2BbmoxJZ07eJYAEYXDtfoLmFvM8%3D
Vary: Accept-Encoding
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?timestamp=1437076851710&access_token=C30mMVgoZSZtkpm3vgMNfLZEpkKT//%2BiZK5gbR39dvPfIaezfjNMocXJ0UCCH10jcE0yvOIrT8yISHerVvGZlGPy2rr2YwXkh1IsYcl0uNGYOP2bDYyz1cJNAwnRYZ4qS0uctDQiKNGZi3oC10TdIwzhz8aaOFAosRFEjPqrT553aXjpZr2SE4Z73TtU2pd%2B7ILICARbjp0r9yhDAAauJgQHkBAkcLVvW5TARQBeRR1OtXbf0CjN764EZ/2GEqCRhvo0rtVUQGUVpt/Sur9yFYUh1b/rFOZJ0o/Oj8rEUEg2c8p/O1ZrpN8emKMB%2BVWLXG97DPO6QpQmzGvaYCZsUDwGfvPNJ8wCtXEdQF0RzQMv3HG71StD9lK30BB46sDTuP24w7tH4PxqjY0cWBUpaMMz/mKLWuSWY6lerx7ibB7Gp%2B9OsclEHeaxKwFr%2BD63RFPmTwBtHKOF/PjIo%2BbmoxJZ07eJYAEYXDtfoLmFvM8%3D HTTP/1.1
Host: media-qa.example.com
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
Cookie: [1550 bytes were stripped]
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 302 FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type, X-Requested-With
Access-Control-Allow-Origin: https://qa-app.example.com
Location: https://gbbrsh.cloudfront.net/media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437076916&Signature=WBDGSQXer-zAREYgiD1~DA8pUaNUBha4WrUFt-WI5Soh4Z-5ayw35UocOG7DuC9FOnAQAeU5Nvp8hKdofDB--ic4aMH0e~LmHaJ38GtP-lHnyyfQDpjJOEmGM2GY3sB0KG7qa8~eTXX9jKDJTCG9Hkf0EpievuWwiXEKGYaSbe0tkR4CLyhND3sIDJbFGCQQZ7NmhMB-3vOsqDKYKKz9SebuiqO0qbL8SvqBkMEiufXCF2MriR4hVDEjFQssE3ysBbhiMlkaINAeOkEmiZEAjnhB-ncN31Lvy4Lo1LxiyCqKH9QwPOpa6ukK0WrYXWwiTi2VRAaxSjm-xgbGiIArmA__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ
HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /media/uploads/bucket/a746a337-5c20-46a6-a1fc-701e772970fd-bWFpbi1uLW4tMC0wLTAtNDUwLTQ0NQ==.jpg?Expires=1437076916&Signature=WBDGSQXer-zAREYgiD1~DA8pUaNUBha4WrUFt-WI5Soh4Z-5ayw35UocOG7DuC9FOnAQAeU5Nvp8hKdofDB--ic4aMH0e~LmHaJ38GtP-lHnyyfQDpjJOEmGM2GY3sB0KG7qa8~eTXX9jKDJTCG9Hkf0EpievuWwiXEKGYaSbe0tkR4CLyhND3sIDJbFGCQQZ7NmhMB-3vOsqDKYKKz9SebuiqO0qbL8SvqBkMEiufXCF2MriR4hVDEjFQssE3ysBbhiMlkaINAeOkEmiZEAjnhB-ncN31Lvy4Lo1LxiyCqKH9QwPOpa6ukK0WrYXWwiTi2VRAaxSjm-xgbGiIArmA__&Key-Pair-Id=APKAJNUAAHKHVOSPPXTQ HTTP/1.1
Host: gbbrsh.cloudfront.net
Origin: https://qa-app.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Referer: https://qa-app.example.com/media/photos/
HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://qa-app.example.com
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Vary: Origin