lardyNiji opened a new issue #1354: URL: https://github.com/apache/cordova-android/issues/1354
# Bug Report ## Problem Simple GET xhr request (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) in cordova-android@^10.0.0 trigger CORS ### What is expected to happen? Simple xhr GET request should not trigger CORS ### What does actually happen? Simple xhr GET request should trigger CORS Example: Access to XMLHttpRequest at 'https://www.google.com/' from origin 'https://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. ## Information <!-- Include all relevant information that might help understand and reproduce the problem --> I have tested with two Cordova applications out of the box : - The first one in Cordova 9.1 works fine the GET xhr call retrieve the remote site content XHR request save as CURL from Chrome network > curl 'https://www.google.com/' \ -H 'authority: www.google.com' \ -H 'user-agent: Mozilla/5.0 (Linux; Android 11; SM-G991B Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/93.0.4577.82 Mobile Safari/537.36' \ -H 'accept: */*' \ -H 'x-requested-with: com.example.hellocdv9' \ -H 'sec-fetch-site: cross-site' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-dest: empty' \ -H 'accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7' \ -H 'cookie: CONSENT=PENDING+960' \ --compressed Result in Chrome console : > The XMLHttpRequest in status 200 with Google.com site content - The second one in Cordova 10.1.1 does not work and is blocked by CORS XHR request save as CURL from Chrome network > curl 'https://www.google.com/' \ -H 'authority: www.google.com' \ -H 'user-agent: Mozilla/5.0 (Linux; Android 11; SM-G991B Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/93.0.4577.82 Mobile Safari/537.36' \ -H 'accept: */*' \ -H 'origin: https://localhost' \ -H 'x-requested-with: com.example.hellocdv10' \ -H 'sec-fetch-site: cross-site' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-dest: empty' \ -H 'referer: https://localhost/' \ -H 'accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7' \ --compressed Result in Chrome console : > The XMLHttpRequest in status 0 with the following error Access to XMLHttpRequest at 'https://www.google.com/' from origin 'https://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. ### Command or Code <!-- What command or code is needed to reproduce the problem? --> I've created two Cordova applications - Cordova 9.x > cordova create hellocdv9 com.example.hellocdv9 HelloWorldcdv9 cd hellocdv9/ cordova platform add android cordova build android adb install ./platforms/android/app/build/outputs/apk/debug/app-debug.apk - Cordova 10.x > cordova create hellocdv10 com.example.hellocdv10 HelloWorldcdv10 cd hellocdv10/ cordova platform add android@^10.0.0 cordova plugin remove cordova-plugin-whitelist cordova build android adb install ./platforms/android/app/build/outputs/apk/debug/app-debug.apk - File changes for both applications > www/index.html ``` 32c32 < <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;"> --- > <meta http-equiv="Content-Security-Policy" content="default-src * data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;"> ``` > www/js/index.js ``` 28a29,37 > let xhr = new XMLHttpRequest(); > xhr.open('GET', 'https://www.google.com'); > xhr.onload = function() { > console.log(xhr, xhr.responseText); > }; > xhr.onerror = function(e) { > console.error(e, xhr); > }; > xhr.send(); ``` ### Environment, Platform, Device <!-- In what environment, on what platform or on which device are you experiencing the issue? --> Device > android: 11 target api: 30 ### Version information <!-- What are relevant versions you are using? For example: Cordova: Cordova CLI, Cordova Platforms, Cordova Plugins Other Frameworks: Ionic Framework and CLI version Operating System, Android Studio, Xcode etc. --> First app > cordova: 9.1.0 cordova-plugin-whitelist: 1.3.5 Second App > cordova: 10.1.1 No plugin Cordova Cli: 10.0.0 ## Checklist <!-- Please check the boxes by putting an x in the [ ] like so: [x] --> - [x] I searched for existing GitHub issues - [x] I updated all Cordova tooling to most recent version - [x] I included all the necessary information above -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
