Closed
Bug 1272302
Opened 9 years ago
Closed 5 years ago
navigator.sendBeacon doesn't set Origin header for same-origin request
Categories
(Core :: DOM: Networking, defect, P3)
Core
DOM: Networking
Tracking
()
RESOLVED
DUPLICATE
of bug 1424076
People
(Reporter: xiaoyin.l, Assigned: CuveeHsu)
References
(Blocks 1 open bug)
Details
(Whiteboard: btpp-backlog [necko-triaged])
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160511030221
Steps to reproduce:
1. Navigate to https://en.wikipedia.org/ with Firefox
2. Open Console in the Developer Tools
3. Type in the console: navigator.sendBeacon("abc","abc")
4. Switch to Network tab, click the POST request to "abc", you can see that Origin header is not set in the request.
5. Repeat steps 1-4 on Chrome and Edge on Windows 10 Preview Build 14342
Actual results:
In Firefox, Origin header is not set for same domain beacon request. Tested on Nightly 49.0a1
Expected results:
According to the spec (https://w3c.github.io/beacon/#sec-processing-model), sendBeacon should always set the Origin header regardless of whether it is same domain or cross domain.
Microsoft Edge on Build 14342 and Chrome always send Origin header, which is the correct behavior.
|
Reporter | |
Updated•9 years ago
|
Component: Untriaged → DOM
Product: Firefox → Core
Version: 49 Branch → unspecified
|
||
Comment 1•9 years ago
|
||
I don't see where the spec says to add the Origin header. Step 2 there is just setting the origin in a local variable. I'm on my mobile, though, so maybe I'm missing it. Can you point to the step you are looking at?
Flags: needinfo?(xiaoyin.l)
|
|
Reporter | |
Comment 2•9 years ago
|
||
(In reply to Ben Kelly [:bkelly] from comment #1)
> I don't see where the spec says to add the Origin header. Step 2 there is
> just setting the origin in a local variable. I'm on my mobile, though, so
> maybe I'm missing it. Can you point to the step you are looking at?
In Step 9, "Let req be a new request, initialized as follows". The "origin" is listed in the request. Also in Step 9, the mode is set to "CORS", which indicates Origin header should always be set.
|
|
||
Comment 4•9 years ago
|
||
We only send the Origin header for cross-origin CORS requests. This is a same-origin CORS request.
The spec is in a bit of disarray regarding Origin header. See these open spec issue:
https://github.com/whatwg/xhr/issues/31
https://github.com/whatwg/fetch/issues/225
I don't expect our behavior to change any time soon. We need to reach some kind of agreement between browsers.
Flags: needinfo?(xiaoyin.l)
Flags: needinfo?(bkelly)
|
||
Updated•9 years ago
|
Whiteboard: btpp-backlog
|
||
Comment 5•8 years ago
|
||
I think this is basically a duplicate of bug 446344, but let's leave it separate for now.
Depends on: 446344
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Updated•5 years ago
|
Component: DOM: Core & HTML → DOM: Networking
|
||
Comment 6•5 years ago
|
||
Anne, can you confirm what is the right behavior here?
Flags: needinfo?(annevk)
|
|
||
Comment 7•5 years ago
|
||
See https://github.com/whatwg/fetch/issues/871. Maybe Junior can look into this when he's back as he worked on clarifying the Origin header before.
Flags: needinfo?(annevk)
|
||
Comment 8•5 years ago
|
||
Assigning to Junior since he disabled NI while he's out :-)
Assignee: nobody → juhsu
|
||
Updated•5 years ago
|
Whiteboard: btpp-backlog → btpp-backlog [necko-triaged]
|
Assignee | |
Comment 9•5 years ago
|
||
I did a quick experiment and I believe bug 1424076 handles this.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•