Edge returns invalid response from cache when CORS headers change

Fixed Issue #10703153


Markus F.
Jan 28, 2017
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

When requesting a cachable resource first without an Origin request header (and thus not getting any CORS header in the response, but still a Vary: Origin which tells browsers that responses will be different based on the Origin request header), and then later with an Origin header (to which the server responds with 304 and the appropriate Access-Control-Allow-Origin header), Edge (14) constructs a response from cache without the CORS header, and the response thus could be not read and a security error is thrown.

Here is a reduced test case:
It first request a text file in an iframe (no Origin request header), and then with AJAX (anonymous CORS). The second request fails.

This works with all current major browsers, Safari 10, Firefox 50, Chrome 55, AND EVEN in IE11.

As CORS is more and more used (e. g. with images when rendered in canvas), with webfonts, with video when used in opengl context, this is a major in Edge.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Assigned To from “Brad E.” to “Brandon M.”

      Changed Status to “Confirmed”

    • Thanks for confirming this. When fixing, please also consider that not only the presence of the Origin request header could change, but only its value. One and the same resource could be requested via CORS from origin 1 and some other time from origin 2.

      I think this is described in this (unfortunately still open) bug report: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8047605/ I’ve also added a modified test case there.

    • Microsoft Edge Team

      Changed Assigned To from “Brandon M.” to “Ali A.”

      Changed Status from “Confirmed” to “Fixed”

    • Thank you for reaching out Markus! We’ve fixed this bug and it should be available in an upcoming Windows Insider build. We haven’t yet fixed the other bug, but I’ve confirmed it as reproducible.

    • Thank you very much, that went fast!

    • has the issue with edge for cors for cached files been fixed ?

    You need to sign in to your Microsoft account to add a comment.

    Sign in