Cached Access-Control-Allow-Origin trouble about cors-anywhere HOT 6 CLOSED

I don't have any specific reason for not using wildcards. I will switch to always using wildcards to fix your problem.

from cors-anywhere.

Also pushed to backends at

https://cors-anywhere.herokuapp.com/
https://cors-anywhere-eu.herokuapp.com/

from cors-anywhere.

Can you share a sample URL to reproduce your bug? I will try to pin down the issue and create a report at http://crbug.com/new. If the bug really exists, then it needs to be fixed.

from cors-anywhere.

Suweet. Thanks for the quick fix, it's now working!

Unfortunately [well for you/Chrome, not me ;-] this is a client app and the CORS stuff is only used within the admin section. (Basically using it to create thumbnails for hotlinked images people occasionally save.)

Sounds like the browser really should be re-validating its cache in this case? If it helps here's basically the outline of the code, note that this was a CORS image load rather than XHR2:

var img = new Image();
img.crossOrigin = 'anonymous';
img.src = prefixedURL;
img.onload = function () { /* …make thumbnail using canvas.getContext('2d')… */ };
img.onerror = function () { /* …bubble up an error message. */ };

Thanks again for the super-quick workaround, and please let me know if there's anything else I can help with on this issue!

from cors-anywhere.

Figured that the steps to reproduce the original bug is:

1. Start a (local) server that serves resources (e.g. images) with the following headers:

   Access-Control-Allow-Origin: <Origin request header here>
   Cache-Control: max-age=3600
   

   E.g.

   require('http').createServer(function(req,res) {
   res.writeHead(200, {
       'access-control-allow-origin': req.headers.origin,
       'Cache-Control' : 'max-age=3600' // Cache for (e.g.) an hour
   });
   res.end();
   }).listen(1306);

2. Fetch the image once:

   var img = new Image();
   img.crossOrigin = 'anonymous';
   img.src = 'http://localhost:1306';
   

3. Repeat the previous step, on a different origin.

4. Observe that the previous step failed, because the request was retrieved from cache.

The specification mentions the expected behavior for the preflight cache (though it's not implemented in Chrome - http://crbug.com/260239).

I don't see anything about the browser's cache in either of the standards though (http://www.w3.org/TR/cors/ and http://fetch.spec.whatwg.org/).

The bug occurs in Firefox 26 as well.

(reported bug at https://www.w3.org/Bugs/Public/show_bug.cgi?id=23653#c2)

from cors-anywhere.

In a future version you might want to support credentials for origins and/or destinations matching a configuration list/regex, so you will need to return exact origin in allow-origin.

A Vary: Origin header may better fix the original issue

from cors-anywhere.