[Webkit-unassigned] [Bug 236084] New: Cache-Control is not allowed by Access-Control-Allow-Headers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 3 08:39:09 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=236084

            Bug ID: 236084
           Summary: Cache-Control is not allowed by
                    Access-Control-Allow-Headers
           Product: WebKit
           Version: Safari 15
          Hardware: All
                OS: iOS 15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zach at yembo.ai

Created attachment 450774

  --> https://bugs.webkit.org/attachment.cgi?id=450774&action=review

Console log showing the failure scenario.

We have a web app that allows for offline behavior. When offline, the API calls that the UI would make are stored in a queue. Then when the device comes back online, the service worker parses the offline request queue and syncs the activities with the server via fetch calls. We are seeing that Safari (tested on iPad Pro and Mac) intermittently refuses to execute a request with an image in the body with the following error:

Failed to load resource: Request header field Cache-Control is not allowed by Access-Control-Allow-Headers

This is strange behavior because this header is automatically added to other requests and they execute without a problem. The problem only happens when both of the following conditions are met:

(i) The network request is made from the service worker queue (in our app, this means the device was offline but is coming back online)
(ii) The network request contains blob data in the body (in our case, an image. Plain JSON calls go through without an issue)

The error does not happen unless both of the above conditions are met. But if both of the conditions are met, the error appears intermittently. Sometimes the request goes through and othertimes it is blocked. 

>From MDN ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers ), "CORS-safelisted request headers are always allowed" and therefore shouldn't need to be added to Access-Control-Allow-Headers. Cache-Control is listed as a CORS-safelisted response header: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header

We were able to work around this by adding Cache-Control to the server's Access-Control-Allow-Headers list, but it seemed like strange behavior so we wanted to report it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220203/3bdb974d/attachment.htm>

More information about the webkit-unassigned mailing list