I have problem with the way Safari handles CORS requests. Consider following scenario:
- DomainA hosts a page which makes a XHR request to DomainB (origin header is set to DomainA)
- DomainB returns 302 redirect do DomainC (origin header is set to null, which seems to be OK with RFC)
- DomainC return 200 response with actual content
This works in Chrome, FF, but it fails on Safari (tested on Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9).
When I make the request without xhr.withCredentials turned on, first, Safari makes a OPTIONS preflight request prior actual request to DomainC, which IMHO is not nessesary as all request are simple request, but that I can handle. Problem is Safari fails after preflight request to DomainC saying "Cannot make any request from null". I can bypass this by setting Access-Control-Allow-Origin to * and drop Access-Control-Allow-Credentials header (those are mutually exclusive), which would make this scenario work. However I still think this is not correct behavior.
Now, thing is I need credentials to be passed by (and no, I can not pass it some other way as it depends on some third party servers). So, let's set
xhr.withCredentials
to true and we are back to "Cannot make any request from null" and now even wildcarding Access-Control-Allow-Credentials does not help.
I think all CORS headers are set properly, but please feel free to check me. Test example can be found here: http://a.ihatesafari.com
What is going on here? Is it a bug or am I missing something?
Thanks for answers