Safari's bizarre caching of CORS resources breaks preloading

[toolness]

The following "game" just presents a one-eyed fly blinking, with a "blop" sound playing once per second. The spritesheet and sound are retrieved from a separate domain with CORS enabled.

<!DOCTYPE html>
<meta charset="utf-8">
<title>Safari CORS Lameness Example</title>
<div id="phaser-holder"></div>
<script src="//cdnjs.cloudflare.com/ajax/libs/phaser/2.1.3/phaser.min.js"></script>
<script>
var game = new Phaser.Game(288, 216, Phaser.CANVAS, 'phaser-holder', {
  preload: function() {
    game.load.crossOrigin = "anonymous";
    game.load.spritesheet("fly", "https://s3.amazonaws.com/safari-cors-lameness/fly-flying.png", 80, 92);
    game.load.audio("blop", "https://s3.amazonaws.com/safari-cors-lameness/Blop-Mark_DiAngelo.mp3");
  },
  create: function() {
    var fly = game.add.sprite(120, 57, "fly");
    var blop = game.add.audio("blop");

    fly.animations.add("flying", [0,1,2,3,4,5,6,7,8,9], 10, true);
    fly.animations.play("flying");
    game.stage.backgroundColor = 0xf0f0f0;
    game.time.events.loop(1000, blop.play.bind(blop));
  },
});
</script>

The above code, which you can try out live at http://jsbin.com/yolola/2/, works fine on Firefox 33, Internet Explorer 11, and Chrome 38. It also works on Safari 8.0 for the first page load, after which subsequent page refreshes fail. When it fails, the following appears in the Safari developer console:

[Error] Cross-origin image load denied by Cross-Origin Resource Sharing policy.
[Warning] Phaser.Loader error loading file: fly from URL https://s3.amazonaws.com/safari-cors-lameness/fly-flying.png (phaser.min.js, line 16)
[Error] XMLHttpRequest cannot load https://s3.amazonaws.com/safari-cors-lameness/Blop-Mark_DiAngelo.mp3. Origin http://jsbin.com is not allowed by Access-Control-Allow-Origin.
[Warning] Phaser.Loader error loading file: blop from URL https://s3.amazonaws.com/safari-cors-lameness/Blop-Mark_DiAngelo.mp3

Viewing the page successfully again requires manually clearing Safari's cache.

This appears to be due to an idiosyncrasy or bug in Safari having to do with the way it caches CORS-enabled resources, which is documented in CreateJS/PreloadJS#46. The first comment in that issue also reveals a potential workaround for the problem, which may or may not be translatable to Phaser.

I am okay with this bug being marked as "won't fix" because it's likely Safari's fault, not Phaser's, but I figured I would document the problem here anyways, just so it's easy to find and reproduce in the future.

Note: While I am confident that the the S3 bucket at safari-cors-lameness (which the assets in my example are being retrieved from) has a correct CORS policy, I'm including it below for reference, just in case I am horribly mistaken.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

[pnstickne]

@toolness The crossOrigin option is only applied images (which are loaded via the Image tag), and not Audio or XHR loading. If the server doesn't explicitly require CORS for images, leaving it as the default crossOrigin = false should be preferable, but this doesn't address Audio/XHR caching or loading.

Anyway, does does using #1351 (bypasses onload/onerror for cached Images) or https://github.com/pnstickne/phaser/tree/wip-loader (a parallel loader, also does the same bypass) result in a working loader in Safari 8? I don't have access to a Mac, so..

Even if the branches work (for images), I suspect the said error messages will still be shown.

[toolness]

Thanks for the quick response, @pnstickne! I will try out those two suggestions... I'm aware that the crossOrigin option is only for images, but I was just using it anyways to show the utter totality of Safari's caching lameness (I also want an untainted canvas so I can eventually do per-pixel manipulation and stuff).

In the meantime, I've implemented the following horrible workaround, in case anyone else runs into this problem and needs things to work in Safari ASAP:

// Safari caches cross-origin resources in a ridiculous way.
// We'll work around this annoyance by monkeypatching 
// Phaser to ensure that we never ask for cached data.
function bypassSafariCORSLameness() {
  var LoaderProto = Phaser.Loader.prototype;
  var ua = navigator.userAgent;
  var isSafari = /safari/i.test(ua) && !/chrome/i.test(ua);
  if (!isSafari || LoaderProto.originalXhrLoad) return;

  console.log("Monkeypatching Phaser.Loader to bust cache because " +
              "https://github.com/photonstorm/phaser/issues/1355.");
  LoaderProto.originalXhrLoad = LoaderProto.xhrLoad;
  LoaderProto.xhrLoad = function(index, url, type, onload, onerror) {
    url = url + '?cacheBust=' + Date.now();
    return this.originalXhrLoad(index, url, type, onload, onerror);
  };
}

[pnstickne]

@toolness The more I'm reading, I believe this to be an S3 (and Cloudfront?) + Safari (and pre-25 Chrome) specific issue relating to caching and the returning (or not returning) of the Vary: Origin response header, and not necessarily an issue of just Safari (7/8).

• http://stackoverflow.com/questions/20253472/cors-problems-with-amazon-s3-on-the-latest-chomium-and-google-canary
• http://stackoverflow.com/questions/12498704/cached-non-cors-response-conflicts-with-new-cors-request
• https://bugs.webkit.org/show_bug.cgi?id=63090
• Fix cross origin images ( Such as S3 ) are failed to load on iPhone Safari niklasvh/html2canvas#374
• https://code.google.com/p/chromium/issues/detail?id=409090

I believe this issue only affects anon-CORS and thus crossOrigin = 'use-credentials' may address the issue (for images).

---

The cache busting work-about shown should also not affect Images working (or not working), so multiple special-casing may be required..

If such cache-busting is indeed the only viable solution to this issue then I think such should be applied in core as a "special" option. If only I had access to Safari sigh.

Although this really is a last-ditch effort, and hopefully at least the Image tag can be "fast accessed" from the cache (but is the image data dirtied in such a case, even if it is immediately available?).

[pnstickne]

@toolness Also, a "softer" work-about for XHR may be If-Not-Match: safari-no-cache, as see here pusherman/zip.js@57bda47 ; I've also seen Cache-Control: no-cache recommendations. Neither work in the case of tag loading but should lead to less cache pollution for XHR.

[pnstickne]

@toolness I'm really not sure of a "good" solution. Adding the If-Not-Match will promote all XHR to CORS, even when such might not be applicable - and it just becomes complicated if checking for same-domain in order to make such a decision.

In any case, if using https://github.com/pnstickne/phaser/tree/wip-loader the cache-busting can be implemented as so, after the game is "booted" (such as at the start of preload function):

if (game.device.safari || game.device.mobileSafari) {
    Phaser.Loader.prototype.transformUrl = function (url) {
        return this.baseURL + url + '?cacheBust=' + Date.now();
    }
}

Phaser.Device contains lots of device/browser - the above should catch Safari, Mobile Safari, and common UIWebView (eg. Chrome iOS) browsers (basically, all browsers that likely behave with such wonkiness) - ref. https://developer.chrome.com/multidevice/user-agent

I'll put a PR in for this branch shortly, although I'm not sure if it'll be accepted or make the upcoming 2.2 target.

[fyyyyy]

I get weird caching issues with S3 on Chrome Version 40.0.2214.91 (64-bit) on macOs
Despite being on the same s3 bucket, some images are not loaded, some work when switching to game.load.crossOrigin="Anonymous".

When opening dev tools under chrome, caching is disabled and everything works fine. I cleard chrome's cache but the problem persists in non-dev mode.

[photonstorm]

Closing this off for now as we've got fast-cache support in 2.3-dev, which should help, and it appears to be incredibly S3 specific (thanks Amazon). This issue will remain for anyone wanting to reference the thread and use some of the work-arounds posted above.

[GeoffreyBooth]

For anyone else struggling with this, I found a workaround that’s perhaps even more questionable (in my case, particular to videos):

var originalCreateElement = document.createElement;

document.createElement = function (tag) {
  var element;
  if (tag === 'video') {
    element = originalCreateElement.call(document, 'video');
    element.setAttribute('crossOrigin', 'anonymous');
  } else {
    element = originalCreateElement.call(document, tag);
  }
  return element;
};

In my case, I would’ve needed to override Phaser.Loader.prototype.loadVideoTag, as that function calls document.createElement('video') without adding the crossOrigin property. Somehow it feels safer to override the native createElement function, as this won’t break on updates to Phaser.