CORS issue because of Brave Shields

[SilencerWeb]

Consolidated Test plan from all related issues

Test plan

1. Open https://eslint-config-development.netlify.com.
2. Console should not log any CORS erros

---

1. Visit chart.js
2. Ensure chats are not broken
3. Console should not log any CORS erros

---

1. Visit https://www.wikiloc.com/mountain-biking-trails/la-quinta-cove-226486
2. Ensure maps shows correctly for both Satellite and Map
3. Console should not log any CORS erros

---

1. Open a new issue on Github with default shields settings
2. Try to upload an image
3. Should be able to upload image without any issues
4. Console should not log any CORS erros

---

1. Visit www.reddit.com
2. Locate a posted video hosted by reddit (https://www.reddit.com/r/Seattle/comments/9uhb5h/snoqualmie_falls_with_foliage_thanks_wa/)
3. Ensure video plays without any issue

---

1. Visit https://d.tube and open any video
2. Video should start streaming
3. Console should not log any CORS erros

---

1. Go to namecheap.com
2. Search for a domain
3. Search result should show up
4. Console should not log any CORS erros

---

1. Go to https://www.skill-capped.com/
2. Login shuold be successful
3. Console should not log any CORS erros

Original issue Description

I have a website deployed on netlify that makes requests to the server that deployed to heroku, they both are on different domains. I enabled CORS in my server setup but I keep getting error Access to fetch at 'https://eslint-config-api-server.herokuapp.com/' from origin 'https://eslint-config-development.netlify.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.. Works like that only in Brave.

Steps to Reproduce

1. Open https://eslint-config-development.netlify.com.
2. Open console.

Brave version (brave://version info)

0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)

Reproducible on current release:

• Does it reproduce on brave-browser dev/beta builds? I don't know, I don't use such builds.

Website problems only:

• Does the issue resolve itself when disabling Brave Shields? Yes.
• Is the issue reproducible on the latest version of Chrome? No.

[charlescrtr]

Can confirm I'm seeing the same issue when trying to log in to https://prisma.io. Issue fixes itself when Shields are disabled.

Brave version
Version 0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)

[OrKoN]

I experience the same problem when trying to perform a CORS request with Brave:

Brave | 0.56.15 Chromium: 70.0.3538.110 (Official Build) (64-bit)
-- | --
Revision | ca97ba107095b2a88cf04f9135463301e685cbb0-refs/branch-heads/3538@{#1094}

[dwwoelfel]

I think this is because Brave is stripping out the Origin header from the initial OPTIONS request.

[JFrankfurt]

I am seeing this all over the place now that I am looking for it. (In fact, I'm seeing it on this github page right now.) It has caused me some problems with calls to non-origin servers in my own work and broken dApp usage with Brave.

[LukeDearden]

Azure Portal is unusable in Brave because of this even with Shields down

[SilencerWeb]

Some of the charts from chart.js brokes because of this:

Here is the link to this example - https://www.chartjs.org/samples/latest/charts/line/multi-axis.html

[bsclifton]

Several +1s from brave/browser-laptop#15319

[renschler]

I also have this error but even with shields down.

I am collecting sensitive information within an iframe with a cross-domain src (do I have to manually whitelist the iframe domain from brave shield also?).

The iframe page makes a fetch call to POST the information. I'm noticing the CORS preflight OPTIONS request has the origin set to null as @dwwoelfel mentioned. Not sure if that's why its failing? Things work in Firefox & Chrome.

[sudokai]

Same problem here. Gmail 2FA broken because of this.

On our website, https://www.wikiloc.com, we use Apple MapkitJS and all maps are broken as well.

More users reporting the same issue: https://community.brave.com/t/latest-update-broke-cors-for-my-webapp/39135

Breakage on The Guardian, Facebook and Instagram: https://community.brave.com/t/too-many-redirects-fb-ig-the-guardian/39543/2

[olibri-us]

Got a similar problem that I described there : brave/browser-laptop#15319

[SilencerWeb]

Gosh, these shields block even request from Figma!

[jmadkins]

The users profile image doesn't load with Shields Up on the Azure Portal. Shields Down allows the profile image and some panes to load. However, the majority of panes don't load regardless of Shield settings.

Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)

[petethompson]

I'm experiencing the same cross-origin issue, with a javascript http request from one of my clients websites; requesting data from the service where they store their content. It seems like the Shield option for blocking cookies is responsible.

[iefremov]

This change seems to break all preflight CORS requests and hence all CORS requests that require preflight: https://github.com/brave/brave-core/pull/754/files

Since we always clean referrer for cross-origin requests, all these requests become redirects, and preflight redirects are not allowed by policy.

@bbondy @yrliou

[iefremov]

Also affects:
#2034
#1999
#1581

[srirambv]

CORS Policy breaks image upload on vistaprint.com. The only way to upload image is to disable shields and use the site.

[srirambv]

@iefremov the following issues are all CORS related.

• Shields block uploading images on GitHub #2034
• Reddit media is being blocked by Brave Shields #1999
• Video fails to load on D Tube due to CORS policy #1581
• search functionality broken under namecheap.com broken #2341
• Blocking functionality on www.wsj.com #2286
• can't login into https://www.skill-capped.com due to shields blocking cross-origin requests #2411
• 307 Internal Redirect #2414

[iefremov]

Closed all dupes I could find.
Not sure about #2580, cant test it quickly.
#2286 is not related to this issue.

[btlechowski]

Verification passed on

Brave	0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Revision	15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897}
OS	Windows 7

Used test plan from OP.

Verified passed with

Brave	0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Revision	15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897}
OS	Mac OS X

• Verified test plan from description

Verification PASSED on Mint 19.3 x64 VM using the following build:

Brave	0.58.20 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Revision	15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897}
OS	Linux

[olibri-us]

Updated to 0.58.21 on Mac OS and it now works perfectly !
I love u guys ;)
Keep the good work up !!!!

[m-ret]

I am having this issue right now on Version 0.63.48 Chromium: 74.0.3729.108 (Official Build) (64-bit).

Access to fetch at 'http://some/api/url' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[ghost]

0.63.55 Chromium: 74.0.3729.131 (Official Build) (64-bit)

I'm receiving the same CORS preflight error as others. prevents signing in to medium.com (via email, twitter, google, and fb). Issue persists with 'allow all cookies' enabled and with shields down

[michaeltintiuc]

Also happens on https://my.playstation.com/ for me with Brave 1.8.96 on Linux and works fine in Firefox