Hey guys,
This isn't a Chrome specific thing (not allowed in Firefox either),
but I'm hoping someone can explain to me why it isn't allowed (i.e.
what security restriction am I violating). I'm trying to make a CORS
POST request "with credentials" so update someone's state in my app.
When I do this with HTTP, it works fine, but with HTTPS, no dice. Here
are the headers and response from the preflight:
Request URL:
https://mydomain.com/resource
Request Method:OPTIONS
Status Code:200 OK
Request Headers
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:X-CSRFToken
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Cookie: [COOKIES]
Host:
mydomain.com
Origin:
https://www.google.com
Pragma:no-cache
Referer:
https://www.google.com/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/
535.19 (KHTML, like Gecko) Chrome/18.0.1025.151 Safari/535.19
Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:X-CSRFToken
Access-Control-Allow-Methods:POST, GET, OPTIONS
Access-Control-Allow-Origin:
https://www.google.com
Access-Control-Max-Age:86400
Connection:keep-alive
Content-Encoding:gzip
Content-Length:20
Content-Type:text/html; charset=utf-8
Date:Mon, 09 Apr 2012 00:32:51 GMT
Server:nginx/0.8.54
Vary:Accept-Encoding
and then the request headers for the POST request:
Request URL:
https://mydomain.com/resource
Request Method:POST
Request Headers
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Host:
mydomain.com
Origin:
https://www.google.com
Pragma:no-cache
Referer:
https://www.google.com/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/
535.19 (KHTML, like Gecko) Chrome/18.0.1025.151 Safari/535.19
and the error message I get in the dev tools is one like, XHR to
mydomain.com not allowed form
https://www.google.com by Access-Control-
Allow-Origin, although this works both over HTTP and when make
requests to my dev server, which is from
https://www.google.com but to
http://local.somedomain.com.
Any thoughts on what's wrong here?