1

Using https://cors-test.codehappy.dev/ to test our test server's new CORS policy, we receive:

These are the response headers received when making the request: access-control-allow-credentials: true access-control-allow-methods: GET, POST, DELETE, PUT access-control-allow-origin: https://*.hotjar.com access-control-max-age: 300 x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block strict-transport-security: max-age=63072000; includeSubDomains; preload referrer-policy: strict-origin-when-cross-origin server: cloudflare

Should we be able to see these headers in the response headers section of the network tab?

enter image description here

All the allow-control headers are not visible:

access-control-allow-credentials: true access-control-allow-methods: GET, POST, DELETE, PUT access-control-allow-origin: https://*.hotjar.com access-control-max-age: 300

Update: in an incognito window, the Last-Modified date/time was about 58 minutes ago.

The CORS access-control headers would not have been adjusted on the testing server since first posting here.

enter image description here

Improve this question
6
  • 2
    is the request in your browser identical to the one made by that cors-test site? Commented May 17, 2023 at 9:16
  • @JaromandaX, yeah, they're both a GET request to the same URL. Commented May 22, 2023 at 0:48
  • seems you do get one cors header, there's a note to disable cache to see full headers, did you do that? Commented May 22, 2023 at 0:55
  • @JaromandaX that disable cache message is for the request headers though, it's the response headers I thought we'd see the allow-control headers in Commented May 22, 2023 at 2:33
  • 2
    I see references to two different CDN's in your question: both CloudFlare and CloudFront, which is strange. Are you really looking at the same thing with your tests? - Policies at the CDN level of either/both may override/hide whatever you're attempting to do at your origin/back-end server. Commented May 23, 2023 at 8:45

1 Answer 1

Reset to default
1

There is 2 potential issues I see .

  1. The sites data has not changed since oct 2022 according to your request, try clearing/disabling cache in the browser. Your site may not be triggering a refresh of the cached data in the browser and its showing you old cors data.

  2. You have a load balancer, http/https differences or access control based on connections. Ensure you are doing both tests from the same connection to ensure all is the same there. - I'd probably trust the results from the CORS tester over my own browser here.

Improve this answer
1
  • Thanks. I've added an update to the question; 1) the response headers remain the same in Chrome incognito, and the last modified date/time was 58 minutes ago. 2) The https://cors-test.codehappy.dev/ was always loaded with the same connection as a manual check, and again today. I'm wondering if Chrome ever shows allow-control headers... Commented May 23, 2023 at 2:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.