1

Safari is blocking a js module even with the same origin (e.g. http://sub.example.com/)

Blocked http://sub.example.com/mymodule.js from asking for credentials because it is a cross-origin request.
[Error] Blocked http://sub.example.com/mymodule.js from asking for credentials because it is a cross-origin request.
[Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (mymodule.js, line 0)

The module is loaded as following:

<script type="module" src="/mymodule.js"></script>

Why is Safari executing a CORS Request for loading the script when calling the page http://sub.example.com/ and other browsers aren't having the same problem?

Leergut Günstig
  • 13
  • 4
  • Try adding the `crossorigin` attribute to that `script` element. That’s suggested per https://stackoverflow.com/a/60475081/441757 and some other answers here. – sideshowbarker May 04 '20 at 12:56
  • @sideshowbarker Thanks, I'll try this in some time. Is there any explanation why even CORS is happening in Safari? – Leergut Günstig May 04 '20 at 12:57
  • I don’t know what the explanation is. The Safari behavior described in the question is not a requirement of the CORS protocol, and the error message isn’t a CORS message. So it seems to be some non-standard thing that Safari is doing on its own for some reason. – sideshowbarker May 04 '20 at 13:33
  • Update: I think a fix for this will ship in the next Safari release. As I understand it, the cause of it was that the Safari sources weren’t up to date with the latests requirements in the Fetch spec. But that has been fixed in Safari Technology Preview 105 https://webkit.org/blog/10428/release-notes-for-safari-technology-preview-105/. The fixes are https://trac.webkit.org/changeset/260003/webkit/ and https://trac.webkit.org/changeset/260038/webkit/. The original spec issue is https://github.com/whatwg/html/pull/3656 – sideshowbarker May 06 '20 at 02:39

0 Answers0