Chrome 77 made a change that requires code 204 to be returned from preflight OPTIONS requests, rather than code 200 (otherwise results in long response times for some API requests). This change is reflected in a recent commit to the asm89/stack-cors project here: https://github.com/asm89/stack-cors/commit/a779b74d5719b8a752dbb5fa83453...

Drupal core has automated tests in tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php::CorsIntegrationTest but it is unclear if these tests check the preFlight response.

Once a new version of asm89/stack-cors is released, either:

  • Update automated tests to handle the 204 response from CORS
  • OR: Add a new test for the preflight response handling.

This could be a minor issue if existing tests are not affected. But is a change in asm89/stack-cors for core devs to be aware of.

Also posting this for people searching for why CORS is broken (results in long response times) in D8.x with the latest Chrome 77 version. Until there is an official release of asm89/stack-cors, we will likely be pointing to the specific commit hash in our composer.json

CommentFileSizeAuthor
#2 3089999-1-asm89-cors-preflight-response-code.patch2.87 KBmr.baileys

Comments

mpotter created an issue. See original summary.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys at SQLI - Belgium commented
Version: 8.8.x-dev » 8.9.x-dev
StatusFileSize
new 3089999-1-asm89-cors-preflight-response-code.patch2.87 KB

Drupal core has automated tests in tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php::CorsIntegrationTest but it is unclear if these tests check the preFlight response.

The test in \Drupal\FunctionalTests\HttpKernel\CorsIntegrationTest only covers CORS configuration and CORS responses to regular requests (GET and POST). It does not initiate a CORS preflight request. Quickly searching through all core tests, it doesn't look like we are doing preflight CORS requests anywhere in core, so the change in asm89/cors-stack should not cause any failures in our tests. Attached is a quick patch pinning asm89/stack-cors to the relevant commit to verify the claim that upgrading to the next version of asm89/stack-cors won't break anything.

Also posting this for people searching for why CORS is broken (results in long response times) in D8.x with the latest Chrome 77 version.

I was confused about why this change would cause long response times. Found the answer in Changes to Cross-Origin Requests in Chrome Extension Content Scripts:

Specifically, Site Isolation not only blocks the response, but prevents the data from ever being delivered to the Chrome renderer process containing the web page, using a feature called Cross-Origin Read Blocking (CORB).

... so essentially requests that do not pass CORS preflight request validation will just timeout.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Status: Active » Closed (outdated)
Issue tags: +Bug Smash Initiative

@mpotter, thanks for making reporting this and making a patch.

This is now outdated. asm89/stack-cors has been updated more than once since this was created. The latest was to^2.1 in Aug 2022 #3302755: On-the-fly JavaScript minification.

I am closing this as outdated.