ANY /cors-broken
Sends broken or missing CORS headers in four distinct modes. Handles OPTIONS preflight as well as regular methods, so behavior is testable end-to-end from a browser.
mode
Brokenness mode. One of: missing (no CORS headers, default), wildcard-credentials (Origin=* with credentials=true — forbidden by spec), wrong-origin (hardcoded Access-Control-Allow-Origin: https://example.com), preflight-deny (403 on OPTIONS, 200 on GET).
# See what each mode returns (curl doesn't enforce CORS — useful for inspection)
curl -i 'https://chaos.catastrophic.io/cors-broken?mode=missing'
curl -i 'https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials'
curl -i 'https://chaos.catastrophic.io/cors-broken?mode=wrong-origin'
# Inspect preflight behavior
curl -i -X OPTIONS \
-H 'Origin: https://myapp.example' \
-H 'Access-Control-Request-Method: GET' \
'https://chaos.catastrophic.io/cors-broken?mode=preflight-deny'
# Non-browser clients do not enforce CORS — useful for inspecting raw headers.
import urllib.request
resp = urllib.request.urlopen("https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials")
print("ACAO:", resp.headers.get("Access-Control-Allow-Origin"))
print("ACAC:", resp.headers.get("Access-Control-Allow-Credentials"))
print("Mode:", resp.headers.get("X-Chaos-Cors-Mode"))
// In a browser, the CORS modes actually fail.
// From Node, fetch ignores CORS entirely — useful for header inspection.
try {
const res = await fetch(
"https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials",
{ credentials: "include" },
);
console.log(res.headers.get("access-control-allow-origin"));
console.log(res.headers.get("access-control-allow-credentials"));
} catch (e) {
console.error("CORS blocked:", e.message);
}
package main
import (
"fmt"
"net/http"
)
func main() {
// Server-side clients ignore CORS — inspect the raw headers.
resp, _ := http.Get("https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials")
defer resp.Body.Close()
fmt.Println("ACAO:", resp.Header.Get("Access-Control-Allow-Origin"))
fmt.Println("ACAC:", resp.Header.Get("Access-Control-Allow-Credentials"))
fmt.Println("Mode:", resp.Header.Get("X-Chaos-Cors-Mode"))
}
// Cargo.toml: reqwest = { version = "0.12", features = ["blocking"] }
fn main() -> Result<(), Box> {
let resp = reqwest::blocking::get(
"https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials",
)?;
let h = resp.headers();
println!("ACAO: {:?}", h.get("access-control-allow-origin"));
println!("ACAC: {:?}", h.get("access-control-allow-credentials"));
println!("Mode: {:?}", h.get("x-chaos-cors-mode"));
Ok(())
}
// Java 11+ HttpClient ignores CORS — inspect the raw headers.
import java.net.URI;
import java.net.http.*;
public class CorsBroken {
public static void main(String[] args) throws Exception {
var client = HttpClient.newHttpClient();
var req = HttpRequest.newBuilder(
URI.create("https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials")
).build();
var resp = client.send(req, HttpResponse.BodyHandlers.discarding());
var h = resp.headers();
System.out.println("ACAO: " + h.firstValue("Access-Control-Allow-Origin").orElse(""));
System.out.println("ACAC: " + h.firstValue("Access-Control-Allow-Credentials").orElse(""));
System.out.println("Mode: " + h.firstValue("X-Chaos-Cors-Mode").orElse(""));
}
}
// .NET 6+. HttpClient ignores CORS — inspect the raw headers.
using var client = new HttpClient();
var resp = await client.GetAsync("https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials");
resp.Headers.TryGetValues("Access-Control-Allow-Origin", out var acao);
resp.Headers.TryGetValues("Access-Control-Allow-Credentials", out var acac);
resp.Headers.TryGetValues("X-Chaos-Cors-Mode", out var mode);
Console.WriteLine($"ACAO: {acao?.FirstOrDefault()}");
Console.WriteLine($"ACAC: {acac?.FirstOrDefault()}");
Console.WriteLine($"Mode: {mode?.FirstOrDefault()}");
require "net/http"
res = Net::HTTP.get_response(URI("https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials"))
puts "ACAO: #{res["Access-Control-Allow-Origin"]}"
puts "ACAC: #{res["Access-Control-Allow-Credentials"]}"
puts "Mode: #{res["X-Chaos-Cors-Mode"]}"
# PowerShell does not enforce CORS — useful for inspecting raw headers
$r = Invoke-WebRequest -Uri 'https://chaos.catastrophic.io/cors-broken?mode=wildcard-credentials'
$r.Headers['Access-Control-Allow-Origin'] # *
$r.Headers['Access-Control-Allow-Credentials'] # true (browser would reject)