CORS Problem with Safari 10.1.2

Platforms

Tested on iPhone iOS 10, macOS Sierra v10.12.6

Safari v10.1.2 (Safari v10.1.1 and below don't seem to have this problem, and neither do Chrome nor Firefox)


Description:

We're having a problem saving a photo through Google Cloud Storage. From the web inspector, we see that we're making a OPTIONS request to http://storage.googleapis.com/..., but we don't receive any response. Whereas, in other browsers or in other versions of Safari, we don't see a OPTIONS request, only the POST request. We've verified that our CORS configuration on the Google Cloud Storage bucket allows our origin.


Our request headers for the OPTIONS request look like this:

Access-Control-Request-Headers:

Referer: <referrer>

Origin: <origin>

Accept: */

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8

Access-Control-Request-Method: POST


These are the errors in the console:

http://storage.googleapis.com/... Failed to load resource: Origin <origin> is not allowed by Access-Control-Allow-Origin

XMLHttpRequest cannot load http://storage.googleapis.com/... Origin <origin> is not allowed by Access-Control-Allow-Origin.


Is there a issue with the latest version of Safari and CORS?

Experiencing a similar issue as described by OP. Sending a preflight OPTIONS request is hanging in iOS safari v10, but working fine in macOS safari, and other browsers.


Orangemilktea - did you manage to find a solution?

HI, I'm wondering if you can direct me to solutions for failing preflight OPTION check for redirect images that are cached. I'm wondering if CORSrule <AllowedMethod>OPTIONS</AllowedMethod> is required.

Possibly unrelated, but there is no Safari CORS preflight check error no the cached image if:
  1. The CORS redirect image is not yet cached in the client Safari (i.e. open a New Private window).

  2. There is a solidus (forward slash) at the end of the image redirect URL (maybe Safari thinks it's a dir instead of file and does different type of preflight?)

  3. The CORS redirect image URL is NOT the same host. For example the web page is abc.org and the image src is xyz.com redirecting aws.com the preflight check on the cached image is fine. (the CORS preflight error only happens when the web page is abc.org and the image src is also abc.org and the redirected image is on aws.com)


Thanks!
CORS Problem with Safari 10.1.2
 
 
Q