Sec-Fetch-Mode and blocked CORS

Asked Sep 19 '19 at 08:46

Active Feb 16 '21 at 05:05

Viewed 2.0k times

So I have the same website making the same request to the same server on (1) Chrome 76 and (2) Chrome 77 from different networks and computers.

One request has (1) Sec-Fetch-Mode: no-cors, Sec-Fetch-Site: cross-site and the other one (2) Sec-Fetch-Mode: cors, Sec-Fetch-Site: same-site. The one with no-cors fails with a 400 to a C# Web API endpoint with CORS enabled (for years and thousands of different users on all kinds of devices).

What is going on? There is talk of a Chrome bug not sending that header for pre-flight, but there it is and set to no-cors.

Security setting or bug in Chrome? Fixable server-side or front-end-side?

This is sent by an XMLHttpRequest, not the new Fetch-API.

edited Feb 16 '21 at 05:05

sideshowbarker

81,827
26
193
197

asked Sep 19 '19 at 08:46

Benjamin E.

5,042
5
38
65

Check if [this](https://www.w3.org/TR/fetch-metadata/#sec-fetch-mode-header) information could be helpful – Rajan Sharma Sep 19 '19 at 09:00
Yes, but I don't believe there is any control using XMLHttpRequest? – Benjamin E. Sep 19 '19 at 09:06
2

Hi did you manage to solve it? I'm having similar issue. – Bukks Feb 26 '21 at 13:32
I stopped having this problem. It might have been an interim issue in Chrome with the configurations I was running. If you run into this now it's likely just a bad CORS setup. – Benjamin E. Mar 01 '21 at 02:37

Sec-Fetch-Mode and blocked CORS

0 Answers0