We're POSTing an AJAX request to a server running locally, i.e.
xhr.open("POST", "http://localhost:9000/context/request");
xhr.addHeader(someCustomHeaders);
xhr.send(someData);
The page that this javascript is being executed is also being served from localhost:9000, i.e. this totally looks like a same-origin request.
However, for some reason, Google Chrome always sets an Origin header in the resulting request, causing our server to block the request based on the false assumption that it's CORS request.
This does not happen in Firefox.
Also, neither Firefox nor Chrome are sending an OPTIONS preflight request, which is confusing; why set an Origin header without first preflighting to make sure the the Origin and the Custom headers are allowed by the server?
Does anyone know what is going on in this case? Are we misunderstanding the CORS spec?
Best Answer
Chrome and Safari include an
Origin
header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header). Firefox doesn't include anOrigin
header on same-origin requests. Browsers don't expect CORS response headers on same-origin requests, so the response to a same-origin request is sent to the user, regardless of whether it has CORS headers or not.I would recommend checking the
Host
header, and if it matches the domain in theOrigin
header, don't treat the request as CORS. The headers look something like this:Note that
Origin
will have the scheme (http/https), domain and port, whileHost
will only have the domain and port.