Safari sender and source header preview headers do not change when the user moves

Question

Safari sender and source header preview headers do not change when the user moves

I have two web pages hosted on a.example.com and b.example . Each web page contains a script with a <script> tag hosted in a different domain and served with the correct CORS headers.

At some point, the user moves from a.example.com to b.example.com .

Safari has a weird behavior: the referrer and origin headers in the pre-sale request are populated with a.example.com , which makes the server send a bad value to Access-Control-Allow-Origin (and therefore the script cannot be executed).

Is there a way to get the Safari browser to send the correct origin header in this scenario?

+5

safari cors

Thomas guillory 15 sept. '16 at 14:53

source share

2 answers

Ext3h · Answer 1 · 2016-09-26T05:17:02+0000

Does the script cache policy have Vary: Origin ?

Accordingly, is there actually a second request after switching to b.example.com ?

If not, there is a chance that Safari actually serves the script from the cache, although the Access-Control-Allow-Origin policy denies access to the resource. Which is consistent with the behavior if the cache policy is not configured correctly.

Thomas guillory · Answer 2 · 2016-09-30T08:26:01+0000

This seemed to be really a Safari bug.

The problem does not play on Safari 10.0. It only plays in Safari 9.1.1 / 9.1.3.

Safari sender and source header preview headers do not change when the user moves

More articles: