Page rules do not forward CORS

If I set a page rule to forward some pages to other URLs,
it works but in the 301 or 302 header the Access-Control-Allow-Origin is missing.
it is present on the destination page but many browser want it present also in the 301/302 headers.

Please fix that.

HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Mar 2019 12:59:28 GMT
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: [https://location with Access-Control-Allow-Origin: *]
Expect-CT: max-age=604800, report-uri="https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: Cloudflare
CF-RAY: 4b1bc9ae6c2bcc5c-ZRH

should be:

HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Mar 2019 12:59:28 GMT
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: [https://location with Access-Control-Allow-Origin: *]
Expect-CT: max-age=604800, report-uri=“https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct
Server: Cloudflare
**Access-Control-Allow-Origin: ***
CF-RAY: 4b1bc9ae6c2bcc5c-ZRH

This is fine normally, but when using FETCH or XMLHTTP, the cludflare url gives:
blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
while the original url works because it has the CORS header.

Page rules don’t know anything about the original URL’s headers or the new URL’s headers, so page rules has no way to know whether or not CORS should be allowed. I had this same issue when dealing with a page constantly hitting my origin, and my page rule that mitigated the issue failed to correctly redirect requests.

The only way to send CORS with a redirect, without hitting your origin, is probably by using workers to perform the response.

That’s not true… the redirection should always allow CORS.
The browser considers the second url headers!

Example of correct 302:

< HTTP/1.1 302 Found
< Date: Sun, 03 Mar 2019 17:28:51 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 76
< Connection: keep-alive
< Keep-Alive: timeout=30
< Server: Apache/2
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: false
< Access-Control-Allow-Methods: HEAD,GET,POST,OPTIONS,PUT,PATCH,DELETE
< Access-Control-Allow-Headers: *
< Access-Control-Expose-Headers: *
< Location: https://example.com
< X-XSS-Protection: 0
< Access-Control-Allow-Methods: HEAD, GET, POST, PUT, DELETE, TRACE, PATCH, CONNECT, CHICKEN

If I do a fetch of a similar redirected url, the url is redirected correctly and if “https://example.com” has not the cors headers, the request will fail, but if “https://example.com” has also “Access-Control-Allow-Origin: *” then the request suceeds.

In other words: cloudlflare redirection should work like this one:
Try it:
This will not work because stackoverflow has no CORS allowance.

fetch("https://cm2.pw/redirect?url=https://www.stackoverflow.com").then(function(t) {
    return t.text()||false;
}).then(c=>console.log(c))

This instead will work:

fetch("https://cm2.pw/redirect?url=https://get.geojs.io/v1/ip").then(function(t) {
    return t.text()||false;
}).then(c=>console.log(c))

As obviously this also works:

fetch("https://cm2.pw/redirect?url=https://get.geojs.io/v1/ip").then(function(t) {
    return t.text()||false;
}).then(c=>console.log(c))

Please change it in the page redirection rule otherwise it’s almost useless.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.