Opened 2 years ago

Last modified 6 months ago

#18080 new defect

CORS header 'Access-Control-Allow-Origin' missing

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-usability-website
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It seems Tor Browser sometimes strips the Access-Control-Allow-Origin header. I ran into the issue when using Globe. When the header is stripped the browser console contains the warning

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://onionoo.torproject.org/details?lookup=299F0933E93B6571ED1CB3D52090E6E13D62427C. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

The reasons why i believe Tor Browser is the cause are

  1. Onionoo explicitly sets the header.
  2. Responses from direct requests to an Onionoo resource using Tor Browser sometimes do not show the header in the Network Monitor.
  3. Responses from direct requests to the same Onionoo resource using curl consistently contain the header.

Child Tickets

Change History (17)

comment:1 Changed 2 years ago by gk

Status: newneeds_information

Hrm. I tried a bit and looked at our code but did not see anything obvious. Steps for reproducing would be really helpful here.

comment:2 in reply to:  1 Changed 2 years ago by cypherpunks

Replying to gk:

Hrm. I tried a bit and looked at our code but did not see anything obvious. Steps for reproducing would be really helpful here.

I cannot reproduce it reliably but it happens sometimes with the following steps.

  1. Go to https://onionoo.torproject.org/summary?limit=1.
  2. Open Firefox Developer Tools.
  3. Go to the Network tab.
  4. Refresh the page with F5.
  5. Look at the response headers of the first (and only) request.
  6. If the Access-Control-Allow-Origin header is not missing, go to step 4.

After 3-5 refreshes the header disappears. However, it can also reappear and disappear again with subsequent refreshes.

FWIW I'm using Tor Browser 5.0.7.

comment:3 Changed 2 years ago by bugzilla

Oops, algorithm in comment:2 is not so plain: first request is the second actually (first was in step 1), it always misses header on alpha, except exitnode was changed by timeout, how can it reappear if algorithm states to update only when header is not missing?

Last edited 2 years ago by bugzilla (previous) (diff)

comment:4 in reply to:  3 ; Changed 2 years ago by cypherpunks

Replying to bugzilla:

Oops, algorithm in comment:2 is not so plain: first request is the second actually (first was in step 1)

If the Firefox Developer Tools window isn't open at step 1, the Network tab doesn't show any requests when you first open it. With the first request i meant the first one in the request list in the Network tab after the refresh at step 4. There should be only one request in this list because the page i linked has no other resources it needs to load. Furthermore, the list of requests gets cleared after each refresh (which is the default unless the setting has been changed).

it always misses header on alpha

Does loading node information on https://globe.torproject.org/ work for you on alpha when the header is missing?

except exitnode was changed by timeout

Did the exit node change alter the responses you got?

how can it reappear if algorithm states to update only when header is not missing?

This could happen when you continue to refresh after you found that the header is missing. The steps are only to reproduce the missing header case.

comment:5 in reply to:  4 ; Changed 2 years ago by bugzilla

Replying to cypherpunks:

Replying to bugzilla:

Oops, algorithm in comment:2 is not so plain: first request is the second actually (first was in step 1)

If the Firefox Developer Tools window isn't open at step 1, the Network tab doesn't show any requests when you first open it. With the first request i meant the first one in the request list in the Network tab after the refresh at step 4. There should be only one request in this list because the page i linked has no other resources it needs to load. Furthermore, the list of requests gets cleared after each refresh (which is the default unless the setting has been changed).

Not first request, but first shown request.

it always misses header on alpha

Does loading node information on https://globe.torproject.org/ work for you on alpha when the header is missing?

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://onionoo.torproject.org/details?lookup=D4125249A474408F0FBA4DB15AC207E31E4CF6B3. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

except exitnode was changed by timeout

Did the exit node change alter the responses you got?

The header is always present after New Circuit.

how can it reappear if algorithm states to update only when header is not missing?

This could happen when you continue to refresh after you found that the header is missing. The steps are only to reproduce the missing header case.

The header is always missed on step 5, so step 6 = false, why go to 4 (refresh)?

comment:6 in reply to:  5 Changed 2 years ago by cypherpunks

Replying to bugzilla:

Replying to cypherpunks:

Replying to bugzilla:

Oops, algorithm in comment:2 is not so plain: first request is the second actually (first was in step 1)

If the Firefox Developer Tools window isn't open at step 1, the Network tab doesn't show any requests when you first open it. With the first request i meant the first one in the request list in the Network tab after the refresh at step 4. There should be only one request in this list because the page i linked has no other resources it needs to load. Furthermore, the list of requests gets cleared after each refresh (which is the default unless the setting has been changed).

Not first request, but first shown request.

This is what i meant, next time I'll use better wording.

it always misses header on alpha

Does loading node information on https://globe.torproject.org/ work for you on alpha when the header is missing?

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://onionoo.torproject.org/details?lookup=D4125249A474408F0FBA4DB15AC207E31E4CF6B3. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

This is the same error i got (see ticket description), so having that header go missing really is a problem.

except exitnode was changed by timeout

Did the exit node change alter the responses you got?

The header is always present after New Circuit.

I didn't test this before, but now that i did i see the same behavior.

how can it reappear if algorithm states to update only when header is not missing?

This could happen when you continue to refresh after you found that the header is missing. The steps are only to reproduce the missing header case.

The header is always missed on step 5, so step 6 = false, why go to 4 (refresh)?

Because previously the header didn't always go missing after the first refresh. Using a new circuit makes reproducing the issue reliable, thanks for pointing this out.

comment:7 Changed 2 years ago by cypherpunks

The steps to reproduce this issue reliably are now

  1. Go to https://onionoo.torproject.org/summary?limit=1.
  2. Open the Firefox Developer Tools window.
  3. Go to the Network tab.
  4. Use a new Tor circuit for the page.
  5. The Access-Control-Allow-Origin header should now be among the response headers of the first shown request.
  6. Refresh the page with F5.
  7. The Access-Control-Allow-Origin header isn't among the response headers of the first shown request anymore.

comment:8 in reply to:  7 ; Changed 2 years ago by gk

Replying to cypherpunks:

The steps to reproduce this issue reliably are now

  1. Go to https://onionoo.torproject.org/summary?limit=1.
  2. Open the Firefox Developer Tools window.
  3. Go to the Network tab.
  4. Use a new Tor circuit for the page.
  5. The Access-Control-Allow-Origin header should now be among the response headers of the first shown request.
  6. Refresh the page with F5.
  7. The Access-Control-Allow-Origin header isn't among the response headers of the first shown request anymore.

This happens in a vanilla Firefox as well and is probably related to the refresh behavior done via F5. If I reload the page with Ctrl+Shift+R I always get the Access-Control-Allow-Origin header. So, I guess this is not a bug. That said, while testing I did not encounter the "Cross-Origin Request Blocked:"-message. Thus, there might still be more to it. How can I reproduce that one?

comment:9 in reply to:  8 Changed 2 years ago by cypherpunks

Replying to gk:

This happens in a vanilla Firefox as well and is probably related to the refresh behavior done via F5. If I reload the page with Ctrl+Shift+R I always get the Access-Control-Allow-Origin header. So, I guess this is not a bug. That said, while testing I did not encounter the "Cross-Origin Request Blocked:"-message. Thus, there might still be more to it. How can I reproduce that one?

The steps to reproduce the "Cross-Origin Request Blocked" message are somewhat similar.

  1. Go to https://globe.torproject.org/#/relay/1C90D3AEADFF3BCD079810632C8B85637924A58E.
  2. Open the Firefox Developer Tools window.
  3. Go to the Console tab.
  4. Use a new Tor circuit for the page.
  5. Refresh the page with F5.
  6. A "Cross-Origin Request Blocked" message is now shown in the Console tab.

In this state Globe gets stuck with a loading animation for which i submitted #18081.

comment:11 Changed 2 years ago by bugzilla

Keywords: tbb-usability-website added

Hmm, this bug is really annoying sometimes.
Some sites automatically redirect to the homepage because of it.

Last edited 2 years ago by bugzilla (previous) (diff)

comment:12 Changed 2 years ago by cypherpunks

#18663 mentions that Onionoo has inconsistent header responses so maybe the problem is on Onionoo's side.

comment:13 Changed 2 years ago by bugzilla

Summary: Do not strip the Access-Control-Allow-Origin headerFirefox bug - CORS header 'Access-Control-Allow-Origin' missing

Mozilla definitely has problems with that, even on its own infrastructure: https://bugzilla.mozilla.org/show_bug.cgi?id=1254742

(Another part of pre45 adventures with CORS is documented here: https://bugzilla.mozilla.org/show_bug.cgi?id=1243453)

This bug continues to appear in FF45ESR.
Now it is often seen on youtube:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://r3---sn-5hnedn7y.googlevideo.com/videogoodput?id=o-ALptvSgkiq9dj8YZzEjU_IlvEja-D5U5YEWCtk6YDcPI&source=goodput&range=0-4999&expire=1460177375&ip=62.212.73.141&pl=24&sparams=expire,id,ip,ipbits,mm,mn,ms,mv,nh,pl,range,source&signature=1411C3663C76BC15F604D83CCE8B212269F36034.73E3F793170A0535E2418D142CABE082F2108EB6&key=cms1&cpn=ZN5lo-1WLQOGlNUK&redirect_counter=1&req_id=6484cc337323af3a&cms_redirect=yes&ipbits=0&mm=34&mn=sn-5hnedn7y&ms=ltu&mt=1460173716&mv=m&nh=IgpwcjAxLmFtczE1Kg03Mi4xNC4yMTcuMTcz. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Last edited 23 months ago by bugzilla (previous) (diff)

comment:14 in reply to:  8 Changed 20 months ago by bugzilla

Replying to gk:

That said, while testing I did not encounter the "Cross-Origin Request Blocked:"-message.

When redirect in comment:11 transforms into an endless loop, maybe, because of #18222, the message isn't shown in Console too. But it appears only once in the loop after clicking Clear, and 403 Forbidden isn't shown at all after it, probably, because of #19921. So, this all looks like previous craziness of Torbutton.

comment:15 Changed 9 months ago by cypherpunks

My web chat can't reconnect because of this error!
It appeared right after the HTTPSE update, which was responsible for messing with headers in the past (#9481).

comment:16 Changed 7 months ago by cypherpunks

When circuit visualizer has to update circuit for the site (circuit was re-requested, because the site was idle for a while), it breaks the site's WebSocket connection with this error in console.

comment:17 Changed 6 months ago by cypherpunks

Priority: MediumHigh
Severity: NormalMajor
Status: needs_informationnew
Summary: Firefox bug - CORS header 'Access-Control-Allow-Origin' missingCORS header 'Access-Control-Allow-Origin' missing

After some time Tor Browser forgets/messes with headers of the same resources which worked before. That leads to

Error Connecting (Error: xhr poll error)

(refreshing doesn't help, new circuit helps)

Last edited 6 months ago by cypherpunks (previous) (diff)
Note: See TracTickets for help on using tickets.