Join Log in
Score:0
Steve avatar Server

CORS access-control headers not visible in the response headers section of Chrome inspector

in flag
Steve

Using https://cors-test.codehappy.dev/ to test our test server's new CORS policy, we receive:

These are the response headers received when making the request:

access-control-allow-credentials: true
access-control-allow-methods: GET, POST, DELETE, PUT
access-control-allow-origin: https://*.hotjar.com
access-control-max-age: 300
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains; preload
referrer-policy: strict-origin-when-cross-origin
server: cloudflare

Should we be able to see these headers in the response headers section of the network tab?

enter image description here

All the allow-control headers are not visible:

access-control-allow-credentials: true
access-control-allow-methods: GET, POST, DELETE, PUT
access-control-allow-origin: https://*.hotjar.com
access-control-max-age: 300

Update: in an incognito window, the Last-Modified date/time was about 58 minutes ago.

The CORS access-control headers would not have been adjusted on the testing server since first posting here.

enter image description here

261
1 + 6
Jaromanda X avatar
ru flag
Jaromanda X
is the request in your browser identical to the one made by that cors-test site?
2
Reply
Steve avatar
in flag
Steve
@JaromandaX, yeah, they're both a GET request to the same URL.
0
Reply
Jaromanda X avatar
ru flag
Jaromanda X
seems you do get one cors header, there's a note to disable cache to see full headers, did you do that?
0
Reply
Steve avatar
in flag
Steve
@JaromandaX that `disable cache` message is for the request headers though, it's the response headers I thought we'd see the allow-control headers in
0
Reply
Jaromanda X avatar
ru flag
Jaromanda X
ahh, true, didn't read the image properly
0
Reply
HBruijn avatar
in flag
HBruijn
I see references to two different CDN's in your question: both CloudFlare and CloudFront, which is strange. Are you really looking at the same thing with your tests? - Policies at the CDN level of either/both may override/hide whatever you're attempting to do at your origin/back-end server.
2
Reply
Score:1
Flash avatar Server
sr flag
Flash

There is 2 potential issues I see .

  1. The sites data has not changed since oct 2022 according to your request, try clearing/disabling cache in the browser. Your site may not be triggering a refresh of the cached data in the browser and its showing you old cors data.

  2. You have a load balancer, http/https differences or access control based on connections. Ensure you are doing both tests from the same connection to ensure all is the same there. - I'd probably trust the results from the CORS tester over my own browser here.

+ 1
Steve avatar
in flag
Steve
Thanks. I've added an update to the question; 1) the response headers remain the same in Chrome incognito, and the last modified date/time was 58 minutes ago. 2) The `https://cors-test.codehappy.dev/` was always loaded with the same connection as a manual check, and again today. I'm wondering if Chrome ever shows allow-control headers...
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.