uMatrix
uMatrix copied to clipboard
gorhill
CORS requests fail when cookie-less domains are set to allow xhr but block cookies [facebook] [firefox]
not sure if this is an issue, it isnt an issue to me any longer, but it was interesting and might be helpful to the developer or to other users so i thought i'd document it.
for a few days i had xhr allowed for all facebook domains but had cookies blocked on a few of them (domains which didnt even set cookies in the first place) (dont ask me why but i did it and it caused problems and only now did i realise that was the issue) e.g. facebook.com 1st-party cookie allow facebook.com 1st-party xhr allow facebook.com 0-edge-chat.facebook.com cookie block facebook.com 1-edge-chat.facebook.com cookie block etc.
the *-edge-chat. subdomains never set cookies but i blocked them from doing so anyway, and they still had xhr enabled. but facebook notifications stopped working and i had to hard refresh pages to see updates. then i looked in the firefox console and saw lots of messages like this:
03:11:31.663 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://2-edge-chat.facebook.com/pull?channel=p_100009048180067&seq=0&partition=-2&clientid=2f1bec8c&cb=liny&idle=60&qp=y&cap=8&msgs_recv=0&uid=100009048180067&viewer_uid=100009048180067&msgr_region=ATN. (Reason: CORS header 'Access-Control-Allow-Origin' missing).1
removing the cookie blocks fixed it. so for some reason blocking cookies on domains with umatrix even when they dont set cookies, blocks CORS requests to them?? anyway it was stupid to add those in the first place so i removed them and its fixed. but yeah not sure if thats intended behaviour or not.
Do you see any Cookie header in the request headers for *-edge-chat.facebook.com? Cookies from facebook.com could be sent if they are allowed to be sent to subdomains. The domain for such cookies start with a ..
hmm i guess i do?
https://2-edge-chat.facebook.com/pull?channel=p_100009185400624&seq=0&partition=-2&clientid=475e63f0&cb=fa6g&idle=22&qp=y&cap=8&wtc=9%2C1%2C0.000%2C9%2C9&msgs_recv=0&uid=100009185400624&viewer_uid=100009185400624&sticky_token=320&sticky_pool=ash2c06_chat-proxy&state=offline&mode=stream&format=json
GET /pull?channel=p_100009185400624&seq=0&partition=-2&clientid=475e63f0&cb=fa6g&idle=22&qp=y&cap=8&wtc=9%2C1%2C0.000%2C9%2C9&msgs_recv=0&uid=100009185400624&viewer_uid=100009185400624&sticky_token=320&sticky_pool=ash2c06_chat-proxy&state=offline&mode=stream&format=json HTTP/1.1
Host: 2-edge-chat.facebook.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
origin: https://www.facebook.com
Cookie: aa4d9c98f8b33ddbc0360f419fe0de126c0b5807bf245a236a26d95496cd1518
Connection: keep-alive
HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: https://www.facebook.com
Cache-Control: private, no-store, no-cache, must-revalidate
Content-Encoding: gzip
Content-Type: application/json
Date: Tue, 29 Sep 2015 04:15:13 GMT
Pragma: no-cache
x-frame-options: DENY
X-Firefox-Spdy: 3.1
i encrypted the cookie data
and yeah i just looked at my cookie list and all of the facebook ones are set for ".facebook.com"
so like is this an issue? i guess some cross site requests to domains are using cookies without permission and without any indication so that could be an issue. dont know of any other sites where this happens though and in this case its kinda needed for the site to not break
