Cross-Origin Request Blocked
Closed this issue · 4 comments
Browser: Firefox 64.0
OS: MAC OS Mojave
Add on config:
Enabled at start: checked
Force value of ....
default (unchanged)
Activation Whitelist
/localhost:3000/i
*
The add on color is red/green, meaning the whitelist is matched
http://localhost:3000/create is my local dev server.
However when I try to hit ,my API server I receive the following error
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://cms-.....
Please check, let me know if you need more info
I've even remove all items from 'Activation Whitelist ' turned on the add on 'Full green' but still the same issue.
Ideally the full http conversation would be helpful, but first let's just eliminate the obvious:
- Does the request use
withCredentials? - Is there a preflight request (method
OPTIONS) ? - Does it return a 2xx http code ?
Sure, here is the CURL,
curl 'http://cms-u-cuat....... ' -X OPTIONS -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' -H 'Accept-Language: en-GB,en-US;q=0.7,en;q=0.3' --compressed -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: authorization' -H 'Referer: http://localhost:3000/create' -H 'Origin: http://localhost:3000' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache'
Yes, it has a preflight request
No auth credentials required
It doesn't return any response but instead the cors error, Status code is
403 Forbidden
here are the
Request headers
Host: cms-u-cuat-.....
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Referer: http://localhost:3000/create
Origin: http://localhost:3000
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
response headers
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-Application-Context: application:8083
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 20
Date: Thu, 10 Jan 2019 11:42:24 GMT
That 403 code is the likely culprit.
While the addon loosens the security context, it can't bypass everything. As such, when a preflight request returns a non 2xx code, it is considered a failure, that's part of the official specification. And sadly I haven't found any workaround for it.