Bug 231928

Summary:

Show HTTP status code in CORS messages logged to devtools console that can indirectly result from HTTP errors

Product:

WebKit

Reporter:

sideshowbarker <mike>

Component:

Web Inspector

Assignee:

sideshowbarker <mike>

Status:

RESOLVED FIXED

Severity:

Enhancement

CC:

achristensen, cdumez, darin, ehutchison, eric.carlson, ews-watchlist, glenn, inspector-bugzilla-changes, japhet, jer.noble, katherine_cheney, mkwst, philipj, sergio, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ews-feeder: commit-queue-
Patch	none
Patch	ews-feeder: commit-queue-
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none

sideshowbarker

Reported 2021-10-18 18:08:06 PDT

### Problem When a CORS request is sent to a server and the server responds with a 4xx or 5xx HTTP status code in the response, and the response doesn’t include the Access-Control-Allow-Origin header, the browser will always log a CORS error message to the devtools console — but may not (or even usually doesn’t) also log the HTTP status code to the console. As a result, many (or most) developers who are in the process of trying to troubleshoot the server-side CORS config (on the server the request was sent to) only see the CORS error — but don’t see the 4xx or 5xx HTTP status code — and so then often (or usually) assume that there’s a mistake in their CORS config, when in fact the actual cause is that a 4xx or 5xx error occurred. For some evidence and discussion of that problem, see the following: * https://stackoverflow.com/questions/54795541/503-return-from-server-is-branded-as-cors-violation-by-chrome * https://davidtruxall.com/misleading-cors-errors/ The effect of that problem is that, every day, it causes hundreds if not thousands of developers to waste hours trying to troubleshoot and identify mistakes in their server CORS config — mistakes they never find, because in fact their existing CORS config is already working as expected and instead the real cause is some 400 or 500 or 502 or whatever. The main reason those developers see CORS errors logged to the devtools console in those cases is that many (or most) runtimes/server systems by default do not add application-set response headers to 4xx and 5xx responses — including the Access-Control-Allow-Origin response header. (For example, Apache and nginx do not; in order to make them add the Access-Control-Allow-Origin response header to 4xx or 5xx errors, the `always` keyword needs to be added to the header-setting directive.) ### Proposed solution Make the HTTP status be included in all CORS messages that might get logged when a 4xx or 5xx error occurs. That means the following: * Failed to load resource: Origin foo is not allowed by Access-Control-Allow-Origin * Failed to load resource: Preflight response is not successful The proposal here is that in the case of, for example, a 500 error, those messages would instead be: * Failed to load resource: Origin foo is not allowed by Access-Control-Allow-Origin. Status code: 500 * Failed to load resource: Preflight response is not successful. Status code: 500

Attachments
Patch (3.29 KB, patch) 2021-10-18 18:35 PDT, sideshowbarker	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (47.81 KB, patch) 2021-10-18 23:01 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (47.81 KB, patch) 2021-10-18 23:06 PDT, sideshowbarker	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (175.42 KB, patch) 2021-10-19 01:32 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (175.42 KB, patch) 2021-10-19 02:01 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (175.42 KB, patch) 2021-10-19 02:51 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (175.42 KB, patch) 2021-10-19 04:11 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (175.86 KB, patch) 2021-10-19 08:00 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (178.87 KB, patch) 2021-10-21 04:12 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (179.76 KB, patch) 2021-10-21 04:43 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (180.29 KB, patch) 2021-10-21 07:56 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (184.09 KB, patch) 2021-10-21 15:36 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (183.14 KB, patch) 2021-10-21 16:41 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (185.13 KB, patch) 2021-10-21 17:39 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (188.89 KB, patch) 2021-10-21 21:00 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (189.19 KB, patch) 2021-10-21 22:51 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Patch (189.14 KB, patch) 2021-11-01 16:00 PDT, sideshowbarker	no flags	Details Formatted Diff Diff
Show Obsolete (16) View All Add attachment proposed patch, testcase, etc.

sideshowbarker

Comment 1 2021-10-18 18:11:35 PDT

I should have mentioned in the issue description that I’ve written Gecko and Blink patches for this: * https://bugzilla.mozilla.org/show_bug.cgi?id=1736026 is the Gecko bug. The patch for that should be landing in the trunk there this week. * https://bugs.chromium.org/p/chromium/issues/detail?id=1260776 is the Chromium bug. The patch there is going take a while longer to land.

sideshowbarker

Comment 2 2021-10-18 18:35:39 PDT

Created attachment 441669 [details] Patch

sideshowbarker

Comment 3 2021-10-18 23:01:32 PDT

Created attachment 441690 [details] Patch

sideshowbarker

Comment 4 2021-10-18 23:06:21 PDT

Created attachment 441691 [details] Patch

sideshowbarker

Comment 5 2021-10-19 01:32:56 PDT

Created attachment 441699 [details] Patch

sideshowbarker

Comment 6 2021-10-19 02:01:31 PDT

Created attachment 441703 [details] Patch

sideshowbarker

Comment 7 2021-10-19 02:51:49 PDT

Created attachment 441704 [details] Patch

sideshowbarker

Comment 8 2021-10-19 04:11:31 PDT

Created attachment 441710 [details] Patch

sideshowbarker

Comment 9 2021-10-19 08:00:30 PDT

Created attachment 441726 [details] Patch

sideshowbarker

Comment 10 2021-10-20 19:25:15 PDT

I’m looking at the test failures and I see this: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r441710-110694/results.html …and that’s failing because there’s a difference between the expected output and the actual output: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r441710-110694/http/tests/xmlhttprequest/access-control-preflight-not-successful-pretty-diff.html -CONSOLE MESSAGE: Preflight response is not successful +CONSOLE MESSAGE: Preflight response is not successful. Status code: 302 That is, specifically, the expected output has no `Status code: 302` while the actual output does. But the patch does actually include a change to the expected output at http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt — see https://bugs.webkit.org/attachment.cgi?id=441726&action=diff#a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt_sec1 However, for some reason the expected output that the EWS test is picking up at https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r441710-110694/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt doesn’t include the change. So I don’t understand why the change from the patch isn’t reflected in the version the EWS test is using — and I don’t have an idea how to fix it…

Alex Christensen

Comment 11 2021-10-20 19:31:45 PDT

$ find LayoutTests -name access-control-preflight-not-successful-expected.txt LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt There are different test expectations files for different platforms. You'll probably need to update all of them.

sideshowbarker

Comment 12 2021-10-21 04:12:04 PDT

Created attachment 442005 [details] Patch

sideshowbarker

Comment 13 2021-10-21 04:43:34 PDT

Created attachment 442009 [details] Patch

sideshowbarker

Comment 14 2021-10-21 07:56:38 PDT

Created attachment 442022 [details] Patch

sideshowbarker

Comment 15 2021-10-21 15:36:56 PDT

Created attachment 442076 [details] Patch

sideshowbarker

Comment 16 2021-10-21 16:41:04 PDT

Created attachment 442085 [details] Patch

sideshowbarker

Comment 17 2021-10-21 17:39:12 PDT

Created attachment 442097 [details] Patch

sideshowbarker

Comment 18 2021-10-21 21:00:31 PDT

Created attachment 442114 [details] Patch

sideshowbarker

Comment 19 2021-10-21 22:51:47 PDT

Created attachment 442125 [details] Patch

sideshowbarker

Comment 20 2021-10-22 01:55:27 PDT

(In reply to Alex Christensen from comment #11) > > There are different test expectations files for different platforms. You'll > probably need to update all of them. Aha, thanks — I’ve now updated all the tests, and EWS is all green. So I think this is ready for review from whoever might have time. Incidentally, the equivalent Firefox change has now landed and will ship in Firefox 95. - https://hg.mozilla.org/mozilla-central/rev/2b65a0fbcf8b - https://bugzilla.mozilla.org/show_bug.cgi?id=1736026

EWS

Comment 21 2021-10-25 14:33:32 PDT

ChangeLog entry in Source/WebKit/ChangeLog contains OOPS!.

Radar WebKit Bug Importer

Comment 22 2021-10-25 18:09:23 PDT

<rdar://problem/84640965>

Chris Dumez

Comment 23 2021-11-01 15:53:17 PDT

Comment on attachment 442125 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442125&action=review > Source/WebKit/ChangeLog:28 > + Reviewed by NOBODY (OOPS!). double NOBODY line.

sideshowbarker

Comment 24 2021-11-01 16:00:49 PDT

Created attachment 443028 [details] Patch

EWS

Comment 25 2021-11-01 16:33:55 PDT

Committed r285145 (243782@main): <https://commits.webkit.org/243782@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 443028 [details].

Eric Hutchison

Comment 26 2021-11-02 10:03:05 PDT

Patch broke a few tests on iOS EWS: http/tests/app-privacy-report/user-attribution-preflight-async.html http/tests/app-privacy-report/user-attribution-preflight-sync.html http/tests/app-privacy-report/app-attribution-preflight-async.html http/tests/app-privacy-report/app-attribution-preflight-sync.html http/tests/privateClickMeasurement/attribution-conversion-through-fetch-keepalive.html Re-opening for a patch.

Kate Cheney

Comment 27 2021-11-02 10:12:29 PDT

Fixed test expectations in http://trac.webkit.org/changeset/285166/webkit.

sideshowbarker

Comment 28 2021-11-02 18:50:55 PDT

(In reply to Eric Hutchison from comment #26) > Patch broke a few tests on iOS EWS: > > http/tests/app-privacy-report/user-attribution-preflight-async.html > http/tests/app-privacy-report/user-attribution-preflight-sync.html > http/tests/app-privacy-report/app-attribution-preflight-async.html > http/tests/app-privacy-report/app-attribution-preflight-sync.html > http/tests/privateClickMeasurement/attribution-conversion-through-fetch- > keepalive.html (In reply to Kate Cheney from comment #27) > Fixed test expectations in http://trac.webkit.org/changeset/285166/webkit. Thanks much — and sorry for having not been more thorough myself — to have identified those tests as needing changes.

Kate Cheney

Comment 29 2021-11-03 09:05:03 PDT

(In reply to Michael[tm] Smith from comment #28) > (In reply to Eric Hutchison from comment #26) > > Patch broke a few tests on iOS EWS: > > > > http/tests/app-privacy-report/user-attribution-preflight-async.html > > http/tests/app-privacy-report/user-attribution-preflight-sync.html > > http/tests/app-privacy-report/app-attribution-preflight-async.html > > http/tests/app-privacy-report/app-attribution-preflight-sync.html > > http/tests/privateClickMeasurement/attribution-conversion-through-fetch- > > keepalive.html > > (In reply to Kate Cheney from comment #27) > > Fixed test expectations in http://trac.webkit.org/changeset/285166/webkit. > > Thanks much — and sorry for having not been more thorough myself — to have > identified those tests as needing changes. No worries, those tests don't run on open source EWS bots for various reasons so it would have been very tricky to catch them the first time around!

Eric Hutchison

Comment 30 2021-11-03 11:06:36 PDT

http/tests/privateClickMeasurement/attribution-conversion-through-fetch-keepalive.html continues to fail on iOS15 on EWS and Opensource.

Eric Hutchison

Comment 31 2021-11-03 11:08:00 PDT

Creating new bug report for failing test: http/tests/privateClickMeasurement/attribution-conversion-through-fetch-keepalive.html

Eric Hutchison

Comment 32 2021-11-03 11:42:08 PDT

Rebaselined http/tests/privateClickMeasurement/attribution-conversion-through-fetch-keepalive.html at https://trac.webkit.org/changeset/285218/webkit

Eric Hutchison

Comment 33 2021-11-03 11:42:38 PDT

(In reply to Eric Hutchison from comment #31) > Creating new bug report for failing test: > http/tests/privateClickMeasurement/attribution-conversion-through-fetch- > keepalive.html Disregard, re-baselined instead.

Note You need to log in before you can comment on or make changes to this bug.