Mozilla Connect

I tested it both on Django server and FastAPI/Uvicorn. I will be using FastAPI/Uvicorn in this example as it is the simplest one (notice no CORS headers):

# main.py
from fastapi import FastAPI

app = FastAPI()

@app.get("/")
async def root():
    return {"message": "Hello World"}

$ uvicorn main:app --reload  
INFO: Uvicorn running on http://127.0.0.1:8000  

For the frontend I will be using Visual Studio Code Live Server from which I will make a request. It’s a simple html page that contains a button and this JavaScript script:

const button2 = document.getElementById("button2");
button2.addEventListener("click", () => {
  fetch("http://127.0.0.1:8000/")
    .then((response) => {
      return response.json();
    })
    .then((data) => console.log(data));
});

Since both of them are running, let’s click on a button and make a request from http://127.0.0.1:5500/ to http://127.0.0.1:8000/ according to Same Origin Policy (a different port number) I should not be able to read the response, yet I can.

Now let’s change http://127.0.0.1:5500/ to http://localhost:5500/ and make the reuqest again, this time it does care about SOP
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:8000/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

I tested it on Chromium the response is blocked in both cases, so why is Firefox bahaving like this?

Some more info about the request and response from web developer tools network tab:

from http://127.0.0.1:5500/ (not blocked):

Status
200
OK
Version HTTP/1.1
Transferred 150 B (25 B size)
Referrer Policy strict-origin-when-cross-origin
Request Priority Highest  
...
Response
HTTP/1.1 200 OK
date: Thu, 23 Mar 2023 10:07:30 GMT
server: uvicorn
content-length: 25
content-type: application/json
...
Request
GET / HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:5500/
Origin: http://127.0.0.1:5500
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site  

from http://localhost:5500/ (blocked):

Status
200
OK
Version HTTP/1.1
Transferred 150 B (25 B size)
Referrer Policy strict-origin-when-cross-origin
Request Priority Highest  
...
Response  
HTTP/1.1 200 OK
date: Thu, 23 Mar 2023 10:09:30 GMT
server: uvicorn
content-length: 25
content-type: application/json  
...
Request
GET / HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:5500/
Origin: http://localhost:5500
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site  

I also noticed that even thought it doesn’t console.log the response from blocked http://localhost:5500/, response tab has visible JSON payload message "Hello World" with this info above Response body is not available to scripts (Reason: CORS Missing Allow Origin)