Fetch API requires CORS header on JavaScript apps

Issue #7984069 • Assigned to Brandon M.

Details

Author
Kagami R.
Created
Jun 24, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
14.14372
Reports
Reported by 4 people

Sign in to watch or report this issue.

Steps to reproduce

  1. Run any JS UWP app with VS debugger attached
  2. Type fetch("https://google.com").then(response => response.text()).then(result => console.log(result)) on JS console
  3. Console says SEC7120: Origin null not found in Access-Control-Allow-Origin header.

Expected result: Fetch API should not require CORS on JS app context as XHR does not

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Brandon M.”

    • This still exists on build 14393 and makes me unable to use Fetch on JS apps for Windows Store.

    • This even breaks whatwg-fetch polyfill so I have to insert a browser sniffing. :(

      if (self.fetch && navigator.userAgent.match(/Edge\/14\.([0-9]+)/)[1] > 14393) {
        return
      }
      
    • Please just allow all cross-origin calls when origin value is null. X(

    • Seconding this. fetch() cannot be used in extensions’ background scripts at all, even with permission granted.

    • The procedure interestingly generates SEC7120: Origin https://google.com not found in Access-Control-Allow-Origin header. on the latest Insider build 14986. So it is checking whether the target allows itself, which is fairly unexpected.

    • Thank you for bringing this bug to our attention.

      In the latest Windows Insider build (14986), have you tried adding the URI that you are fetching to the ApplicationContentUriRules?

      For example, you can try adding the following to the package.appxmanifest file under <Application>:
      <uap:ApplicationContentUriRules>
        <uap:Rule Match="https://*.bing.com" Type="include" />
      </uap:ApplicationContentUriRules>

      And then try running this in the console:
      fetch(“https://www.bing.com”).then(response => response.text()).then(result => console.log(result));

      Please let me know if that works for you.

    • It works but:

      1. Visual Studio says the setting is for iframes and WebViews
      2. I need Fetch for arbitrary URIs that I cannot list
      3. The policy is inconsistent for XHR and Fetch, it should affect all or never.
    • This is fixed now :D

    You need to sign in to your Microsoft account to add a comment.

    Sign in