I have two web pages hosted on a.example.com
and b.example
. Each web page is including a script with a <script>
tag, hosted on another domain and served with correct CORS headers.
At a certain point, user navigates from a.example.com
to b.example.com
.
Safari has here a strange behavior: the referrer
and origin
headers in preflight request are filled with a.example.com
, making the server sending a bad value in Access-Control-Allow-Origin
(and so the script can't be executed).
Is there a way to force Safari browser to send correct origin
header in that kind of scenario ?
1 Answers
Answers 1
Does the cache policy for the script include Vary: Origin
?
Respectively is there actually a second request after navigating to b.example.com
?
If not, there is a chance that Safari is actually serving the script from cache - despite the Access-Control-Allow-Origin
policy forbidding it to access the resource. Which is a conforming behavior, if the cache policy isn't configured correctly.
0 comments:
Post a Comment