Page rules do not forward CORS


#1

If I set a page rule to forward some pages to other URLs,
it works but in the 301 or 302 header the Access-Control-Allow-Origin is missing.
it is present on the destination page but many browser want it present also in the 301/302 headers.

Please fix that.

HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Mar 2019 12:59:28 GMT
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: [https://location with Access-Control-Allow-Origin: *]
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 4b1bc9ae6c2bcc5c-ZRH

should be:

HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Mar 2019 12:59:28 GMT
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: [https://location with Access-Control-Allow-Origin: *]
Expect-CT: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Server: cloudflare
**Access-Control-Allow-Origin: ***
CF-RAY: 4b1bc9ae6c2bcc5c-ZRH


#2

This is fine normally, but when using FETCH or XMLHTTP, the cludflare url gives:
blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
while the original url works because it has the CORS header.


#3

Page rules don’t know anything about the original URL’s headers or the new URL’s headers, so page rules has no way to know whether or not CORS should be allowed. I had this same issue when dealing with a page constantly hitting my origin, and my page rule that mitigated the issue failed to correctly redirect requests.

The only way to send CORS with a redirect, without hitting your origin, is probably by using workers to perform the response.


#4

That’s not true… the redirection should always allow CORS.
The browser considers the second url headers!

Example of correct 302:

< HTTP/1.1 302 Found
< Date: Sun, 03 Mar 2019 17:28:51 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 76
< Connection: keep-alive
< Keep-Alive: timeout=30
< Server: Apache/2
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: false
< Access-Control-Allow-Methods: HEAD,GET,POST,OPTIONS,PUT,PATCH,DELETE
< Access-Control-Allow-Headers: *
< Access-Control-Expose-Headers: *
< Location: https://example.com
< X-XSS-Protection: 0
< Access-Control-Allow-Methods: HEAD, GET, POST, PUT, DELETE, TRACE, PATCH, CONNECT, CHICKEN

If I do a fetch of a similar redirected url, the url is redirected correctly and if “https://example.com” has not the cors headers, the request will fail, but if “https://example.com” has also “Access-Control-Allow-Origin: *” then the request suceeds.

In other words: cloudlflare redirection should work like this one:
Try it:
This will not work because stackoverflow has no CORS allowance.

fetch("https://cm2.pw/redirect?url=https://www.stackoverflow.com").then(function(t) {
    return t.text()||false;
}).then(c=>console.log(c))

This instead will work:

fetch("https://cm2.pw/redirect?url=https://get.geojs.io/v1/ip").then(function(t) {
    return t.text()||false;
}).then(c=>console.log(c))

As obviously this also works:

fetch("https://cm2.pw/redirect?url=https://get.geojs.io/v1/ip").then(function(t) {
    return t.text()||false;
}).then(c=>console.log(c))

Please change it in the page redirection rule otherwise it’s almost useless.