Double requests to scripts with crossorigin="use-credentials" attribute

Issue #12499065 • Assigned to Steven K.

Details

Author
Aleksander N.
Created
Jun 26, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Edge makes double HTTP GET requests to scripts requested by <script> tag with crossorigin="use-credentials" attribute set.

However, this happens only when the <script> tag is places in the HTML document directly, not when the tag is being created by other JS script and then appended to DOM (using either appendChild, or document.write method).

I’m attaching example which triggers this issue (index.html and script.js files) and a transcript of a webserver log which indicates that some requests are duplicated (I’ve used Python’s built-in HTTP server, but any HTTP server could be used).

Attachments

Comments and activity

  • Changed Steps to Reproduce

    Changed Steps to Reproduce

    Changed Steps to Reproduce

    Changed Steps to Reproduce

    Changed Steps to Reproduce

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi,

    I am not able to repro this issue.  Can you tell me the version of Windows 10 you are using?  Win + s and then type ‘winver’ and hit the enter key.

    I want to verify that test case #2 is the only test that shows this issue?

    Also, do you have a different domain name for the html file or the js file being served?  CORS is for cross origin request security.  I guess that does not matter if you are getting this behavior.

    Have you tried these tests using a different web server, i.e. not the python built in web server?

    Can you verify what your settings are in the “Networking” section in Edge’s config page?  The URL for the Networking configuration is: about:flags and look near the very bottom of the page.  Is “Enable TCP Fast Open” or “Enable experimental networking features” enabled?

    Can you also take a fiddler trace for case #2?  Here are the instructions for collecting a fiddler trace

     

    NOTE: Please
    do not visit any sites that contain personal or sensitive data such as
    passwords or financial data while collecting the trace.

    1. Download
      and install Fiddler on your machine. http://www.telerik.com/fiddler
    1. Run the
      Fiddler application and make sure “Capture Traffic” is selected under
      File menu.
    1. Reproduce
      the issue. (Launch Edge and go to the page that fails)
    1. Go to the
      fiddler and now you should see captured network traffic. Select all by using
      Ctrl+A or go to fiddler edit menu and choose select all
    1. Finally
      go to, File/Save/Selected sessions/in Archive Zip and then save the file and upload
      the file.

    Appreciate the help,

    Steve

  • Forgot to ask, df you have any cookies set?  I know the repro you provided does not have a cookie set explicitly.  Can you also make sure you don’t have any cookies set for that domain?

  • Hello, original poster here.

    Yes, I can observe duplicated requests only for case #2.

    Using crossorigin="anonymous" or not using crossorigin attribute at all results in no request doubling.
    Inserting the script tag dynamically into the DOM from JS results in no request doubling regardless of presence and value of crossorigin attribute on the tag being inserted.

    I am able to reproduce the issue on Nginx as well.

    I’ve tried both official Microsoft Edge VM (from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) and a normal Windows installation on a laptop.

    On VM:

    Output of winver:

    Windows 10, Version 1607 (OS Build 12393.1358), Windows 10 Enterprise Evaluation

    Relevant part of Nginx access log (comparing request made from Firefox on localhost (expected behaviour) and from Edge on the VM):

    127.0.0.1 - - [25/Jul/2017:18:12:27 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0" "-" "-" "-"
    127.0.0.1 - - [25/Jul/2017:18:12:27 +0200] "GET /script.js HTTP/1.1" 304 0 "http://localhost:1234/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0" "-" "-" "-"
    10.5.7.1 - - [25/Jul/2017:18:12:41 +0200] "GET / HTTP/1.1" 200 443 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" "-" "-" "text/html"
    10.5.7.1 - - [25/Jul/2017:18:12:41 +0200] "GET /script.js HTTP/1.1" 200 83 "http://10.5.7.1:1234/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" "-" "-" "application/javascript"
    10.5.7.1 - - [25/Jul/2017:18:12:41 +0200] "GET /script.js HTTP/1.1" 200 83 "http://10.5.7.1:1234/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" "-" "-" "application/javascript"
    

    F12->Network info:

    I’ve looked at the F12->Network console. The duplicated requests are visible there, with “Initiator / Type” value being “parsedElement” for 1st request and “script” for 2nd one.

    The requests look identical to me.
    I’ve also determined, using Wireshark, that the 2nd request gets send some tens of ms after the first one, a long before any response from the server arrives.

    By creating unique responses each time server-side, I’ve determined that the script that effectively gets executed is the content of 2nd response.

    Why do we need to use CORS at all:

    On production, we serve our JS from different domain than our clients’ sites.

    We use crossorigin on script tag to allow a global onerror handler to receive detailed information about errors in the script (we need those for frontend error reporting).

    We cannot use crossorigin="anonymous" because it disallows setting a 3rd-party cookie when serving the JS.

    With respect to the request doubling, it seems it doesn’t matter whether the HTML and JS are actually served from different origins or the same one - I observed the same behavious in both scenarios.

    about:flags -> Networking:

    I don’t see “Enable experimental networking features” option there.
    “Enable TCP Fast Open” is unchecked.
    After enabling TCP Fast Open and restarting the browser, the behaviour stays the same.

    Other things:

    I’ve also found an issue that looks somewhat similar:
    https://connect.microsoft.com/IE/feedback/details/1762233/edge-accept-language-header-strange-behavior

    The attached Fiddler trace (edge-doubled-requests.saz) is from the VM.
    The domains used there (merchant.local and cors.com) were mapped to the server on host machine using %SystemRoot%\System32\drivers\etc\hosts file.

    On a laptop:

    Output of winver:

    Windows 10, Version 1607 (OS Build 14393.693)

    Everything looks completely analogical to the VM.

You need to sign in to your Microsoft account to add a comment.

Sign in