Preflight Did Not Pass Access Control Check


The Context

  1. If javascript needs to make a cross origin call and wants to include authentication cookie, you set credentials to “include”. This way the target server understands that this user (from another domain) is authenticated (in another domain). Yes, it is a web standard or spec that if you set credentials to “include”, wildcard CORS response header is not allowed in preflight. For details: http://50linesofco.de/post/2017-03-06-cors-a-guided-tour .
  2. For DRM subsystem, if access control is required (through JWT token), license request will have HTTPS Authorization header set to “Bearer [JWT]”. (Even though there are other ways to pass JWT token to license server such as customData and URL query string, they are not applicable for multi-DRM environment or not recommended due to leaving JWT in clear.)

The Issue

For certain MSE/EME based media player or player SDK such as Akamai Media Player (AMP), CORS errors may occur when requesting DRM license with Authorization header (set to JWT). To request license, license server does not need or require or care user authenticated cookie. Now why does Akamai AMP set credentials to “include” in license request? The reason is that Akamai AMP uses dashjs code library. Dashjs library sets credential to “include” automatically whenever “Authorization” header is set. But this behavior of dashjs is not correct or justified since license request does not require user authentication status. In other words, dashjs code should be modified before being incorporated into Akamai product. Microsoft Azure Media Player (AMP) does not set credentials to “include” for license request because we do not and should not include user authentication cookie for license request.

 

 

 

 

 

 

 

 

 

 

 

 

(preflight check failed)

In addition, authentication and authorization are totally separate and different concepts. HTTP Authorization header is for carrying access token (JWT) for authorization to access backend resource (like license server) while cookie is for carrying authentication info. Setting credentials to “include” whenever you see “Authorization” value is a mix up of authN and authZ in Dashjs.

Recommendation

In other words, the better solution is to ask web video player vendor to NOT setting credentials to “include” since neither origin nor license server uses or requires user authN credential (cookie).

Result

Akamai Media Player team has agreed with my recommendation and have made the code change in Dash.js.

Akamai has filed the bug at DASH-Industry-Forum: https://github.com/Dash-Industry-Forum/dash.js/issues/2256. It has been approved, fixed and released.

Comments (0)

Skip to main content