CORS request no longer working in plugin with SU2024. Websecurity change?

Given what MDN shows, does a POST request work correctly with respect to CORS?

Unfortunately no, it does not.

To give some context, this is the workflow:

  1. we send a GET request to get a slot ID from our backend API
  2. we send a POST request to upload a JSON version of the model to our backend with that slot ID as a parameter
  3. we send a DELETE request with the slot ID as a parameter, which returns an upload ID
  4. we send a PATCH request with that upload ID so that our backend triggers a processing of the uploaded model, and get a task ID as an answer.

What I observed:
Request 1 works with CORS - it’s just a GET request

Request 2 does not work with cors mode: the request is truncated, and our multipart/form-data message has a content-length of 0 when received by the backend, causing it to return a 500 error.
If we set the mode to ‘no-cors’ in the fetch parameters, then the response of the request is opaque, which means that the JavaScript script cannot read any returned value, including any potential error code.
We could still go down that road, as it is just an upload and we expect an empty reply, and it seems to succeed if we look at the backend logs.

Request 3 works - we are not setting any specific mode in the fetch parameters.

Request 4 fails with CORS: the endpoint needs an Authentication token, and the backend returns a 400 with the following message:

“The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true. Path: $ | LineNumber: 0 | BytePositionInLine: 0.”]

Since the request 2 gets truncated with CORS, it feels that the Authentication token is truncated off the request 4 too.

We cannot afford to use no-cors mode for this request because we need to get the content of the backend response.

Just to confirm, we are running the plugin on a local server for debugging (http://localhost:8000) and the backend returns the access-control-allow-origin: http://localhost:8000 when queried with an OPTIONS request, so it matches the CORS requirements.

Last point to add, slightly on the tangent: we have a dynamic loading of the Javascript files used by the plugin, and it does not always load them, somehow.

In this screenshot, upon opening the plugin only the initialise.js script loads, and the execution stops somewhere without any error being thrown.

I just closed the plugin to reopen it (sometimes few times) and now the scripts are loaded.

This might be linked to this issue that I posted initially maybe (Fetching JSON data in HTML - #2 by DanRathbun) - I can also open another topic if it feels too unrelated.

@DanRathbun Good, then hopefully we can combine our forces to understand what’s happening.