0

Using https://cors-test.codehappy.dev/ to test our test server's new CORS policy, we receive:

These are the response headers received when making the request:

access-control-allow-credentials: true
access-control-allow-methods: GET, POST, DELETE, PUT
access-control-allow-origin: https://*.hotjar.com
access-control-max-age: 300
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains; preload
referrer-policy: strict-origin-when-cross-origin
server: cloudflare

Should we be able to see these headers in the response headers section of the network tab?

enter image description here

All the allow-control headers are not visible:

access-control-allow-credentials: true
access-control-allow-methods: GET, POST, DELETE, PUT
access-control-allow-origin: https://*.hotjar.com
access-control-max-age: 300

Update: in an incognito window, the Last-Modified date/time was about 58 minutes ago.

The CORS access-control headers would not have been adjusted on the testing server since first posting here.

enter image description here

Steve
  • 365
  • 2
  • 7
  • 18
  • 2
    is the request in your browser identical to the one made by that cors-test site? – Jaromanda X May 17 '23 at 09:16
  • @JaromandaX, yeah, they're both a GET request to the same URL. – Steve May 22 '23 at 00:48
  • seems you do get one cors header, there's a note to disable cache to see full headers, did you do that? – Jaromanda X May 22 '23 at 00:55
  • @JaromandaX that `disable cache` message is for the request headers though, it's the response headers I thought we'd see the allow-control headers in – Steve May 22 '23 at 02:33
  • ahh, true, didn't read the image properly – Jaromanda X May 22 '23 at 03:18
  • 2
    I see references to two different CDN's in your question: both CloudFlare and CloudFront, which is strange. Are you really looking at the same thing with your tests? - Policies at the CDN level of either/both may override/hide whatever you're attempting to do at your origin/back-end server. – HBruijn May 23 '23 at 08:45

1 Answers1

1

There is 2 potential issues I see .

  1. The sites data has not changed since oct 2022 according to your request, try clearing/disabling cache in the browser. Your site may not be triggering a refresh of the cached data in the browser and its showing you old cors data.

  2. You have a load balancer, http/https differences or access control based on connections. Ensure you are doing both tests from the same connection to ensure all is the same there. - I'd probably trust the results from the CORS tester over my own browser here.

Flash
  • 1,310
  • 7
  • 13
  • Thanks. I've added an update to the question; 1) the response headers remain the same in Chrome incognito, and the last modified date/time was 58 minutes ago. 2) The `https://cors-test.codehappy.dev/` was always loaded with the same connection as a manual check, and again today. I'm wondering if Chrome ever shows allow-control headers... – Steve May 23 '23 at 02:36