Bug 169851 - Safari sends empty "Access-Control-Request-Headers" in preflight request
Summary: Safari sends empty "Access-Control-Request-Headers" in preflight request
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-18 14:25 PDT by Nolan Lawson
Modified: 2017-03-22 10:18 PDT (History)
7 users (show)

See Also:

Attachments
Screenshot from WebInspector showing the empty Access-Control-Request-Headers being sent (36.73 KB, image/png)
2017-03-18 14:25 PDT, Nolan Lawson 		no flags Details
Patch (4.65 KB, patch)
2017-03-21 13:09 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nolan Lawson 2017-03-18 14:25:20 PDT 
Created attachment 304878 [details]
Screenshot from WebInspector showing the empty Access-Control-Request-Headers being sent

Instead of omitting the "Access-Control-Request-Headers" header, Safari will send an empty value, which causes compatibility problems with CouchDB 1.6.1 and CouchDB 2.0.0.

I've filed the exact same bug on Chrome, and they've fixed it as of M57: https://bugs.chromium.org/p/chromium/issues/detail?id=633729

Neither Firefox nor Edge have this bug.

I've also filed this as a compat bug on CouchDB, but they haven't fixed it yet: https://issues.apache.org/jira/browse/COUCHDB-3090

STR:

1. Install CouchDB, run it on http://localhost:5984 (e.g. using `brew install couchdb`)
2. Run `npm install -g add-cors-to-couchdb`
3. Run `add-cors-to-couchdb`
4. Open the URL: http://bl.ocks.org/nolanlawson/raw/68f8117655fce45f9172d4f00a4ccaf4/

Expected result: Safari doesn't send the header at all if the value is empty

Actual result: Safari sends "Access-Control-Request-Headers: " which breaks CouchDB.

I've reproduced in Safari Technology Preview Release 25 (Safari 10.2, WebKit 12604.1.8.1.2) on macOS Sierra (10.12.4 Beta (16E191a)).
Comment 1 Anne van Kesteren 2017-03-18 23:16:55 PDT 
https://w3c-test.org/fetch/api/cors/cors-preflight.html should test this in theory per https://github.com/w3c/web-platform-tests/pull/4556 but for some reason Safari times out (and both Chrome and Firefox fail the same tests, so further cleanup might be warranted).
Comment 2 youenn fablet 2017-03-21 13:09:48 PDT 
Created attachment 305016 [details]
Patch
Comment 3 Chris Dumez 2017-03-21 13:11:29 PDT 
Comment on attachment 305016 [details]
Patch

r=me
Comment 4 youenn fablet 2017-03-21 13:19:36 PDT 
(In reply to Nolan Lawson from comment #0)
> Created attachment 304878 [details]
> Screenshot from WebInspector showing the empty
> Access-Control-Request-Headers being sent
> 
> Instead of omitting the "Access-Control-Request-Headers" header, Safari will
> send an empty value, which causes compatibility problems with CouchDB 1.6.1
> and CouchDB 2.0.0.

Thanks for taking the time to file the bug here and for other various browsers.
Improving web-platform-tests test coverage is also a great way for those kind of things, should you have some time for it in the future :)
Comment 5 Nolan Lawson 2017-03-21 15:00:19 PDT 
No prob; happy to see this get fixed across all browsers! :) Thanks for the patch.
Comment 6 youenn fablet 2017-03-21 22:07:53 PDT 
Submitted web-platform-tests pull request: https://github.com/w3c/web-platform-tests/pull/5192
Comment 7 WebKit Commit Bot 2017-03-22 10:18:30 PDT 
Comment on attachment 305016 [details]
Patch

Clearing flags on attachment: 305016

Committed r214254: <http://trac.webkit.org/changeset/214254>
Comment 8 WebKit Commit Bot 2017-03-22 10:18:34 PDT 
All reviewed patches have been landed.  Closing bug.