Debug profile CORS issue with Chrome 76

Created August 09, 2019 12:44

the same to me

Created August 09, 2019 14:07

Debugging Vue.js in Chrome 76.0.3809.100 works fine for me, no CORS issues. What server is your app hosted on, what errors can you see namely?

Elena Pogorelova

Created August 09, 2019 14:09

Cross-Origin Resource Sharing (CORS) is subject of change in Chrome version 76. New headers are introduced as part of security and those must handled in the code. Later the CORS requests of extensions must be handled in background pages rather then content scripts.

Read all about the recommended actions (for developers) and further restrictions on this page of Google:

Changes to Cross-Origin Requests in Chrome Extension Content Scripts

For updates you can follow this bug report:

Issue 989443: CORS policy in v76 restricting XMLHttpRequest in cross domain cases.

For information about Cordova specifically, follow the updates here:

Issue 991107: cordova app could not make XHR requests from a file any more

D Kelly

Created August 09, 2019 14:23

Thanks for the updates.

Both are localhost.

I am testing VueJS against out current backend and have an unlocked version which allows CORS. The backend server is NodeJS/Hapi.

The front-end application is VueJS running the standard VueJS `npm serve` script.

As I said above I can access the front-end through a "normal" Chrome window. It's getting Webstorm to hook into the debugger through a standard Webstorm JavaScript Debug Configuration.

Is there anything on there that we can do? Or do we wait for a Webstorm update?

Elena Pogorelova

Created August 09, 2019 14:30

>Is there anything on there that we can do? Or do we wait for a Webstorm update?

Updating WebStorm will unlikely help, as I'm not aware of any issues in it that might cause the problem.

So, once more: what errors can you see namely? Does enabling Allow unsigned requests option in Settings | Build, Execution, Deployment | Debugger make any difference?

D Kelly

Created August 09, 2019 17:13

Thank you.

Error is

"Access to XMLHttpRequest at 'https://<machinename>api/v2/jobs' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

So I may be able to change the Vue server to post on "<machinename>"

Unsigned requests does fix the problem

Matt Schleindl

Created August 11, 2019 12:03

Unsigned requests fixes it for me as well

Nick Taylor

Created August 14, 2019 10:30

Unsigned requests fixed it here too.

Browsing to localhost when not in Debug works fine on its own. I don't like the idea of having to check that box. It's actually causing things to work differently to a normal browsing experience. Things might end up getting allowed, that we really don't want to be, but might not be aware of it until later testing outside of the development environment.

Elena Pogorelova

Created August 14, 2019 12:35

When debugging, the x-ijt header is sent for request signing to prevent requests from outside from being rejected; header is not sent if "Allow unsigned connections" is enabled, so, if you are facing issues because of this header, you have to turn this option on.

2005101249

Created August 17, 2019 05:23

Allow unsigned requerst(webstorm settings > Build, Execution, Deployment > Debugger > Build-in server > option) does fix it.

But I think it's not good way to solve the problem like Nick Taylor.

And following errors still have occured!

GET https://localhost:8080/sockjs-node/info?t=1566019099198 net::ERR_CERT_AUTHORITY_INVALID

...

Stefan

Created June 02, 2020 07:03

This started happening to me two days ago. Only when debugging. Any ideas?

edit: this is in PHPStorm 2020.1.1 and Chrome Version 83.0.4103.61. CORS headers ARE present on the requested resource and it works fine when not being attached to debugger. No OPTIONS request sent.

edit2: Allow unsigned request does not fix it.

Elena Pogorelova

Created June 02, 2020 14:01

>Allow unsigned request does not fix it

that's strange, this option does normally help if the issue is indeed specific to debugging. When debugging on the built-in web server, the x-ijt header is sent for request signing to prevent requests from outside from being rejected; header is not sent if "Allow unsigned connections" is enabled, so, if you are facing issues because of this header, turning this option on is enough to get rid of CORS problems

Stefan

Created June 02, 2020 14:53

Ah, I am not debugging on the built-in web server. The option makes no difference, but the issue is related to debugging, because it only happens when debugging localhost:3000.

Elena Pogorelova

Created June 02, 2020 15:05

No additional headers are sent then, the results shouldn't be specific to debugging

Elena Pogorelova

Created June 02, 2020 15:06

could you share a sample project the issue can be repeated with?

Stefan

Created June 02, 2020 17:39

It only happens when launching chrome in a debug configuration from a phpstorm, it's fine both in incognito and regular chrome when not attached to phpstorm debugger. For now I've disabled security in chrome using some argument when launching it (not by the computer right now).

I can try to create a project later, since this currently is part of a fairly large react application.