Sophos 9.0.7 breaks browser AJAX CORS support in Chrome, Firefox.

Hi Ajax,

If you are a Sophos customer could you please call support so that we can try and diagnose this issue?

I asked internally for sme information on what you are seeing and received the following:

There is certainly nothing in the code that specifically does anything special with AJAX CORS although if the browser does something with the additional HTTP methods that CORS will produce then its possible that the filter in SAV could see issues.

The fact that the Ajax says this is only an issue on Chrome and Firefox, but not on Safari, indicates that the preflight interpreters for the CORS methods are different between those browsers, and so the traffic could be slightly different as well.

To investigate this then we would need an example site to go to that generates the issue, or a tcpdump from the customer on Chrome (where it breaks), and on Safari (where it succeeds).

 Darren.

Thanks for the reply Darren.

We actually discovered that if either of the "Web Protection - General" options are turned on then CORS requests are left pending.

Our IT systems support team are in the process of passing on a proper ticket to our Sophos rep.

The applications that have been affected are all private intranet systems so unfortunately the won't be available for testing but we were able to get the same result using a general CORS test service:-

http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=true&client_headers=X-Foo%3A%201&server_enable=true&server_status=200&server_credentials=true&server_tabs=local&server_headers=X-Foo

If you try that URL with the Chrome web inspector/network tab open you should expect to see a credentials flag error as the expected status message on the preflight OPTIONS request and the accompanying GET request is not made.

What we're seeing with either of the Web Protect options enabled is that the OPTIONS request comes back with status 200 OK and GET request is made but stays permanently in the "pending" state.

I'll try to get proper TCP dumps passed along with support request.  Actually, I can ask our systems people if they can put me on a call if that helps.

Many thanks,

Sean.

I lost hours to this today. Well done Ajax and team for finding the culprit. 

Sophos, breaking legitimate CORS activity is not an acceptable strategy. As mentioned in Ajax's post, this will cause issues on many rich client web applications. I am very much hoping this is a bug and not a feature!

Andy

Hi Andy,

Yep, it's defenitely infuriating.  What makes it even worse is that it's not consistent.  Some requests get through fine and some stay pending with no pattern that I could make out.

The good news is that Sophos very quickly and professionally opened a support ticket for us about this and are looking into what's happening.

So I think they're taking this seriously and should get it fixed ASAP.

Cheers,

Sean.

I can confirm this is an issue with the Sophos Software. This is also mentioned:

- http://stackoverflow.com/questions/20969553/json-rest-get-request-is-pending-with-cors-on-tomcat-for-chrome-firefox

- http://stackoverflow.com/questions/20389410/chrome-and-firefox-cors-ajax-calls-get-aborted-on-some-mac-machines

Sometimes it works, sometimes not. Always works well in Safari, Chrome and Firefox have the same issue. Turning off the webscanner solved the CORS issues.

@ajax: Could you post the Support-Ticket number? This would allow us to track the updates.

After spending about 11 hours on this issue I can confirm that the bug (feature?) still exists in Sophos AV 9.0.11. I am using a Spring servlet as a REST API on a different domain than my client UI that makes the requests. I had the exact same problem as the OP when either of the security settings for web traffic were turned on.

This must not only be a Sophos AV problem since my teammates had the same issue and they are running Windows with Kasperskey. The official CORS spec is revised as of this January so the major AV vendors are probably still changing their programs to suit the ever-changing technologies.

This issue was resolved in the 9.1.5 release, it was not back ported to 9.0.x

For anyone who stubmled onto this post due to a "rant of the day" link then you should get your free version updated to 9.1.5 preview. Follow the info at this link:

http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/SAV-for-Mac-9-1-Preview/td-p/18025

The free version gets the same updates as the business version.