CORS problem with Safari, S3, and XMLHttpRequests withCredentials

PLATFORM AND VERSION

OS X

OSX 10.12.5, Safari 10.1.1. We've tested on multiple machines (Safari 10.1.2 as well).


DESCRIPTION OF PROBLEM

We're migrating from a single server to AWS and have had a number of issues with CORS. We have some users with proxies, and in order to fix our proxy CORS issues, we enabled cookie forwarding in CloudFront and added withCredentials=true to all of our XHR requests.


Unfortunately, Safari does not like this (in fact, adding withCredentials=true seems to cause CORS issues even outside of the proxy).


Origin [REDACTED] is not allowed by Access-Control-Allow-Origin

Failed to load resource: Origin [REDACTED] is not allowed by Access-Control-Allow-Origin

XMLHttpRequest cannot load [REDACTED, CDN] due to access control checks.


Is there anything known about Safari, S3, and CORS issues that may help us here? Our CORS policy has the redacted origin above listed as an allowed origin, so I'm not sure what is happening here (or why withCredentials=true is causing a problem when we are outside of the proxy). Please note that in Safari, withCredentials=true causes issues when using the proxy as well. Chrome, Firefox and Internet Explorer do not seem to have issues.

Hi,

I also have been trying something similar. Things worked fine for an older IOS version and when I upgraded to 10.12.6 version things stopped working due to this cross origin security alert which blocked the browser in making any request to the server. I added CORS support in my server and added 'Access-Control-Allow-Origin' in the request header which I was making and things started working in the standard browsers on IOS like safari/chrome/firefox which had stopped working.


For me the main issue is our solution is for a captive portal and it still doesn't work for Captive portal network assistant browser which comes as a pop up from the OS for the captive portal login page. As these CNA browsers or the so called mini browser have no way of doing any debug console so you don't get exact details on the browser security warning. I did played around with grabbing the window error and dumping on my webpage itself and it just shows as some script error. I have been trying to find a way to dump the complete console output with these warnings but the max you can do is get all your console.log/info/warn dumped to your some html element for the display on the page. These CNA browsers are quite irritating but we can't get away with it as customers like to get a pop-up for captive portal login and they will use it for login purpose. I do see many vendors simply ask customers to enable captive portal bypass for IOS and android devices which will simply allow the traffic for these CNA test URL's and end user simply never gets a pop-up for login. A user will have to launch a web page from a standard browser to login to network and if doesn't know that he has to launch things from browser then he will complain that his device is connected though none of his apps are working. Supporting these mini browser is becoming very painful day by day.


Hope to get some help/suggestion from IOS team on this.


Regards,

Kunal

unfortunately this seems to be an issue till this day Here's a stackoverflow with more details https://stackoverflow.com/questions/79245340/unable-to-upload-directly-to-s3-from-ios-safari-on-a-cellular-network-due-to-cor

CORS problem with Safari, S3, and XMLHttpRequests withCredentials
 
 
Q