Cors issue with FF and Safari

justin · July 30, 2020, 10:53pm

Firefox and Safari adds an extra entry to the ‘Access-Control-Request-Headers’ preflight request and infura returns a different response as a result.

To reproduce:

This is how the request looks from Chrome:

curl '<--- V3 Mainnet endpoint --->' -X OPTIONS --compressed -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: content-type' -H 'Origin: https://example.com' --verbose

Will return

< HTTP/2 200 
< date: Thu, 30 Jul 2020 22:47:44 GMT
< content-length: 0
< access-control-allow-headers: Content-Type
< access-control-allow-methods: POST
< access-control-allow-origin: https://example.com
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers

This is the request as FF and Safari crafts them:

curl '<--- V3 Mainnet endpoint --->' -X OPTIONS --compressed -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: content-type,user-agent' -H 'Origin: https://example.com' --verbose

will return:

< HTTP/2 200 
< date: Thu, 30 Jul 2020 22:52:07 GMT
< content-length: 0
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers

This is causing requests to fail is Safari as far as I can tell.

Leiya_Kenney · July 31, 2020, 12:16am

Hi @justin - welcome to the Infura community! Have you tried adding “origin” as an allowed header? From this thread, it sounds like that may help.

justin · July 31, 2020, 7:10pm

Thank you for your response!

I think that is a server side configuration.

   <AllowedHeader>origin</AllowedHeader>

If Infura were to add that it might help? Not sure.

pgebheim · August 3, 2020, 3:57am

Hey @Leiya,

It appears there is a problem with how your servers respond in the case where non-chrome web browsers send requests. Specifically, the request Justin outlined above is issued by the browser when sending a pre-flight (OPTIONS) request, saying “Hey, when I issue the REAL request I will be sending the User-Agent header.” For some reason this breaks the CORS check and the Infura HTTP server responds with a payload that DENIES access to the API.

Thus a client accessing from Safari cannot do an API, a client accessing from Firefox cannot do an API call, a client accessing from Chrome or Brave CAN.

This is a bug.

Leiya_Kenney · August 4, 2020, 11:37pm

Hi @justin and @pgebheim - I’ve escalated this to our engineers and will let you know once we have an update!

Leiya_Kenney · August 10, 2020, 9:05pm

Hi @justin and @pgebheim - we have identified the issue and are investigating a solution. We’ll give you an update on the fix as soon as we have it.
Thanks for your patience!

Leiya_Kenney · September 24, 2020, 7:24pm

Hi @justin and @pgebheim - we’ve updated this for eth HTTP (not WebSockets yet, but we’ll update you when that happens)

jeffywu · October 5, 2020, 6:06pm

Hi Leiya, I’m seeing this error in Firefox. Can you confirm that this fix is still in place?

Leiya_Kenney · October 5, 2020, 6:42pm

Hi @jeffywu - welcome to the Infura community! The fix is still in place; have you tried it in Safari or Chrome? I will bring this up with the engineering team, but full disclosure, it may take some time to get a fix in place, so I would suggest using another browser in the meantime.