Firefox 'Cross-Origin Request Blocked' despite headers
Solution 1
Turns out this has nothing to do with CORS- it was a problem with the security certificate. Misleading errors = 4 hours of headaches.
Solution 2
I found that my problem was that the server I've sent the cross request to had a certificate that was not trusted.
If you want to connect to a cross domain with https
, you have to add an exception for this certificate first.
You can do this by visiting the blocked link once and addibng the exception.
Solution 3
I came across this question having found requests in Firefox were being blocked with the message:
Reason: CORS request did not succeed
After pulling my hair out I found out that a newly installed Firefox extension, Privacy Badger, was blocking the requests.
If you come to this question after scratching your head, try checking to see what extensions you have installed to see if any of them are blocking requests.
See Reason: CORS request did not succeed on MDN for details.
Solution 4
If you don't have a 'real' certificate (and thus using a self-signed one), in Firefox you can go to:
Options > Privacy & Security > (scroll to the bottom) View Certificates > Servers > Add Exception...
There, fill in the location, eg: https://www.myserver:myport
Solution 5
I've found solution after 2 days :(.
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
Related videos on Youtube
Godwhacker
Updated on July 08, 2022Comments
-
Godwhacker almost 2 years
I'm trying to make a simple cross-origin request, and Firefox is consistently blocking it with this error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [url]. This can be fixed by moving the resource to the same domain or enabling CORS. [url]
It works fine in Chrome and Safari.
As far as I can tell I've set all the correct headers on my PHP to allow this to work. Here's what my server is responding with
HTTP/1.1 200 OK Date: Mon, 23 Jun 2014 17:15:20 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u8 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type Access-Control-Request-Headers: X-Requested-With, accept, content-type Vary: Accept-Encoding Content-Length: 186 Content-Type: text/html
I've tried using Angular, jQuery, and a basic XMLHTTPRequest object, like so:
var data = "id=1234" var request = new XMLHttpRequest({mozSystem: true}) request.onload = onSuccess; request.open('GET', 'https://myurl.com' + '?' + data, true) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') request.send()
...and it works in every browser except Firefox. Can anyone help with this?
-
nmaier almost 10 yearsCan you provide a full trace of all requests and responses? Or provide a test site at least? If the website accessing the remote origin http, https, file?
mozSystem
is not supported for regular websites just packaged firefox-os apps, so drop that option. -
Godwhacker almost 10 years@nmaier Headers when sending as POST rather than GET:
Accept application/json, text/plain, */*
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Content-Length 35
Content-Type application/x-www-form-urlencoded; charset=UTF-8
Host [url]
Origin [url]
Referer [referrer url]
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Error:Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [url]. This can be fixed by moving the resource to the same domain or enabling CORS. [url]
-
Godwhacker almost 10 years@nmaier Actually it appears this is some sort of problem with the security certificate on the site I'm accessing- Firefox is just giving a spurious error. If I add the site to the list of exceptions it works fine.
-
-
Daniel Correia almost 10 yearsJust had this exact problem, the error is too generic and on top of that Chrome and Firefox use different certificate stores, so its harder to debug. I should have suspected that when my proxy didn't capture any OPTIONS requests (it was breaking on the SSL handshake).
-
Leo over 9 yearsGodwhacker, I am into the same problem, perhaps. How did you find out that it was the security certificate? Where can you see this?
-
Godwhacker over 9 yearsUnfortunately as it was seven months ago I can't remember- I think I noticed something when I was logging in to the server. Check that it's up to date and that the domains match.
-
Won Jun Bae about 9 yearsFor me, It was because I had some characters omitted in the intermediate certificate, "-----BEGIN CERTIFICATE-----". I hope this helps someone out there in the field.
-
Godwhacker almost 9 yearsThat doesn't particularly help anyone visiting your site, unless you're happy put a message on there saying 'If you're using Firefox, please go to this site and add it to your list of exceptions'
-
Sam Storie almost 9 yearsIn my case I had an angular app making calls to another server, with both using internally signed certificates. However, Firefox doesn't automatically trust the cert because it isn't recognized by a public authority. So I needed to make sure the certs for both servers were added as exceptions in Firefox before this issue went away.
-
clint over 8 yearsFor me the fix was to set
withCredentials=true
on the XHR instance; otherwise Firefox failed to use the client cert when making the request (worked fine in Chrome, however). -
elixenide over 8 yearsPlease do not post the same answer more than once. And please be sure your answer actually answers the question. If you need to direct someone elsewhere for more information, it's not a good answer.
-
Harsh Mehta over 8 yearsHello I used the link because it has some more information like pre requisites etc . If you feel its in appropriate i will remove it .
-
Paul about 6 years@Cracker0dks "visit the blocked link once and add the exception" could you elaborate as to where to add the exception? I'm using Firefox Quantum. TIA
-
Cracker0dks about 6 yearsyou surf to the link firefox is complaining about direktly. Then you get the certificate warning. Allow the certificate. Visit your primary site again.
-
Godwhacker almost 6 yearsThat's fine if you want to set it to accept requests from anywhere; not fine if you don't, which is the entire point of the header.
-
Naga about 5 yearsComment by @SamStorie sounds more like answer than this answer. Thank you
-
Ciprian Tomoiagă almost 5 yearshow did you figure out which extension is blocking the requests? I am having the same problem, as the request succeeds in a Firefox with a new profile (so no extensions)
-
Professor of programming almost 5 yearsI clicked each extension to see if there were any mentions of blocking content for the particular site I was having an issue with. Ghostery had an entry so I marked the site as trusted, reloaded the page, and the requests succeeded.
-
Ciprian Tomoiagă almost 5 yearsThank you! I've also discovered the extension Project Insight which gives an overview of all extensions' permissions. addons.mozilla.org/en-US/firefox/addon/project-insight
-
Gagan Babber almost 5 yearsMy response headers had special characters which were causing an issue fixing that solved my problem.
-
JGilmartin about 4 yearsthis worked for me when my CORS works in all other browsers except Firefox with the error -> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at localhost:44304/v1/search. (Reason: CORS request did not succeed).
-
Søren Mortensen about 4 yearsSame story for me today, essentially. Restarting Firefox fixed it. More than 5 years later.
-
void about 4 yearsin my case the
Remote Address
is going to 443 port with http request -
Richard Green about 4 yearsSeems the scheme is expected, looking at the examples at w3.org/TR/cors but anyways thanks, I was doing the wrong thing too, and yes, the Firefox error message is lacking.
-
Jason Leach almost 4 years@awendt Oof. Privacy Badger for me also. Thanks.
-
Vikash Anand over 3 years@Hypenate: Thanks for the solution. It solved Firefox problem. But it is not working for any of the mobile browser. Could you please help me in solving this issue.
-
The Coder over 2 yearsIn my case I'd turned on Firefox Enhanced Tracking Protection, I then removed it for sites that I trusted (development sites) and it fixed the errors I was getting. Phew I thought we'd broken the site for Firefox :-/
-
Angel Auñón over 2 yearsIn my case, after enabling XHR messages in the Firefox developer console, I saw the request was blocked by and addon. Indeed there was an exclamation mark on the facebook container plugin button. I had to "allow site in facebook container" to get it working. I have to say that my URL request was to facebook basic display API, hope it helps someone.
-
Rylan Schaeffer over 2 yearsCan you update your answer to explain how you found the error and fixed it?
-
Godwhacker over 2 years@RylanSchaeffer it was nearly eight years ago so I'm afraid I can't remember exactly how I worked it out...
-
Keith POON almost 2 yearsthank you, I browse and trust the api domain on firefox, then the angular successfully send and receive without error