RESOLVED FIXED 169851
Safari sends empty "Access-Control-Request-Headers" in preflight request 
https://bugs.webkit.org/show_bug.cgi?id=169851
Summary Safari sends empty "Access-Control-Request-Headers" in preflight request
Nolan Lawson
Reported 2017-03-18 14:25:20 PDT
Created attachment 304878 [details] Screenshot from WebInspector showing the empty Access-Control-Request-Headers being sent Instead of omitting the "Access-Control-Request-Headers" header, Safari will send an empty value, which causes compatibility problems with CouchDB 1.6.1 and CouchDB 2.0.0. I've filed the exact same bug on Chrome, and they've fixed it as of M57: https://bugs.chromium.org/p/chromium/issues/detail?id=633729 Neither Firefox nor Edge have this bug. I've also filed this as a compat bug on CouchDB, but they haven't fixed it yet: https://issues.apache.org/jira/browse/COUCHDB-3090 STR: 1. Install CouchDB, run it on http://localhost:5984 (e.g. using `brew install couchdb`) 2. Run `npm install -g add-cors-to-couchdb` 3. Run `add-cors-to-couchdb` 4. Open the URL: http://bl.ocks.org/nolanlawson/raw/68f8117655fce45f9172d4f00a4ccaf4/ Expected result: Safari doesn't send the header at all if the value is empty Actual result: Safari sends "Access-Control-Request-Headers: " which breaks CouchDB. I've reproduced in Safari Technology Preview Release 25 (Safari 10.2, WebKit 12604.1.8.1.2) on macOS Sierra (10.12.4 Beta (16E191a)).
Attachments
Screenshot from WebInspector showing the empty Access-Control-Request-Headers being sent (36.73 KB, image/png)
2017-03-18 14:25 PDT, Nolan Lawson 		no flags
Details
Patch (4.65 KB, patch)
2017-03-21 13:09 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Anne van Kesteren
Comment 1 2017-03-18 23:16:55 PDT
https://w3c-test.org/fetch/api/cors/cors-preflight.html should test this in theory per https://github.com/w3c/web-platform-tests/pull/4556 but for some reason Safari times out (and both Chrome and Firefox fail the same tests, so further cleanup might be warranted).
youenn fablet
Comment 2 2017-03-21 13:09:48 PDT
Created attachment 305016 [details] Patch
Chris Dumez
Comment 3 2017-03-21 13:11:29 PDT
Comment on attachment 305016 [details] Patch r=me
youenn fablet
Comment 4 2017-03-21 13:19:36 PDT
(In reply to Nolan Lawson from comment #0) > Created attachment 304878 [details] > Screenshot from WebInspector showing the empty > Access-Control-Request-Headers being sent > > Instead of omitting the "Access-Control-Request-Headers" header, Safari will > send an empty value, which causes compatibility problems with CouchDB 1.6.1 > and CouchDB 2.0.0. Thanks for taking the time to file the bug here and for other various browsers. Improving web-platform-tests test coverage is also a great way for those kind of things, should you have some time for it in the future :)
Nolan Lawson
Comment 5 2017-03-21 15:00:19 PDT
No prob; happy to see this get fixed across all browsers! :) Thanks for the patch.
youenn fablet
Comment 6 2017-03-21 22:07:53 PDT
Submitted web-platform-tests pull request: https://github.com/w3c/web-platform-tests/pull/5192
WebKit Commit Bot
Comment 7 2017-03-22 10:18:30 PDT
Comment on attachment 305016 [details] Patch Clearing flags on attachment: 305016 Committed r214254: <http://trac.webkit.org/changeset/214254>
WebKit Commit Bot
Comment 8 2017-03-22 10:18:34 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.