Cors issue with FF and Safari

Firefox and Safari adds an extra entry to the ‘Access-Control-Request-Headers’ preflight request and infura returns a different response as a result.

To reproduce:

This is how the request looks from Chrome:

curl '<--- V3 Mainnet endpoint --->' -X OPTIONS --compressed -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: content-type' -H 'Origin: https://example.com' --verbose

Will return

< HTTP/2 200 
< date: Thu, 30 Jul 2020 22:47:44 GMT
< content-length: 0
< access-control-allow-headers: Content-Type
< access-control-allow-methods: POST
< access-control-allow-origin: https://example.com
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers

This is the request as FF and Safari crafts them:

curl '<--- V3 Mainnet endpoint --->' -X OPTIONS --compressed -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: content-type,user-agent' -H 'Origin: https://example.com' --verbose

will return:

< HTTP/2 200 
< date: Thu, 30 Jul 2020 22:52:07 GMT
< content-length: 0
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers

This is causing requests to fail is Safari as far as I can tell.

Hi @justin - welcome to the Infura community! Have you tried adding “origin” as an allowed header? From this thread, it sounds like that may help.

Thank you for your response!

I think that is a server side configuration.

   <AllowedHeader>origin</AllowedHeader>

If Infura were to add that it might help? Not sure.

Hey @Leiya,

It appears there is a problem with how your servers respond in the case where non-chrome web browsers send requests. Specifically, the request Justin outlined above is issued by the browser when sending a pre-flight (OPTIONS) request, saying “Hey, when I issue the REAL request I will be sending the User-Agent header.” For some reason this breaks the CORS check and the Infura HTTP server responds with a payload that DENIES access to the API.

Thus a client accessing from Safari cannot do an API, a client accessing from Firefox cannot do an API call, a client accessing from Chrome or Brave CAN.

This is a bug.

Hi @justin and @pgebheim - I’ve escalated this to our engineers and will let you know once we have an update!

Hi @justin and @pgebheim - we have identified the issue and are investigating a solution. We’ll give you an update on the fix as soon as we have it.
Thanks for your patience!