Firefox 'Cross-Origin Request Blocked' despite headers

I'm trying to make a simple cross-origin request, and Firefox is consistently blocking it with this error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [url]. This can be fixed by moving the resource to the same domain or enabling CORS. [url]

It works fine in Chrome and Safari.

As far as I can tell I've set all the correct headers on my PHP to allow this to work. Here's what my server is responding with

HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 17:15:20 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u8
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type
Access-Control-Request-Headers: X-Requested-With, accept, content-type
Vary: Accept-Encoding
Content-Length: 186
Content-Type: text/html

I've tried using Angular, jQuery, and a basic XMLHTTPRequest object, like so:

var data = "id=1234"
var request = new XMLHttpRequest({mozSystem: true})
request.onload = onSuccess;
request.open('GET', 'https://myurl.com' + '?' + data, true)
request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
request.send()

...and it works in every browser except Firefox. Can anyone help with this?

Just had this exact problem, the error is too generic and on top of that Chrome and Firefox use different certificate stores, so its harder to debug. I should have suspected that when my proxy didn't capture any OPTIONS requests (it was breaking on the SSL handshake).

Godwhacker, I am into the same problem, perhaps. How did you find out that it was the security certificate? Where can you see this?

Unfortunately as it was seven months ago I can't remember- I think I noticed something when I was logging in to the server. Check that it's up to date and that the domains match.

For me, It was because I had some characters omitted in the intermediate certificate, "-----BEGIN CERTIFICATE-----". I hope this helps someone out there in the field.

That doesn't particularly help anyone visiting your site, unless you're happy put a message on there saying 'If you're using Firefox, please go to this site and add it to your list of exceptions'

In my case I had an angular app making calls to another server, with both using internally signed certificates. However, Firefox doesn't automatically trust the cert because it isn't recognized by a public authority. So I needed to make sure the certs for both servers were added as exceptions in Firefox before this issue went away.

For me the fix was to set withCredentials=true on the XHR instance; otherwise Firefox failed to use the client cert when making the request (worked fine in Chrome, however).

Please do not post the same answer more than once. And please be sure your answer actually answers the question. If you need to direct someone elsewhere for more information, it's not a good answer.

Hello I used the link because it has some more information like pre requisites etc . If you feel its in appropriate i will remove it .

@Cracker0dks "visit the blocked link once and add the exception" could you elaborate as to where to add the exception? I'm using Firefox Quantum. TIA

you surf to the link firefox is complaining about direktly. Then you get the certificate warning. Allow the certificate. Visit your primary site again.

That's fine if you want to set it to accept requests from anywhere; not fine if you don't, which is the entire point of the header.

Comment by @SamStorie sounds more like answer than this answer. Thank you

how did you figure out which extension is blocking the requests? I am having the same problem, as the request succeeds in a Firefox with a new profile (so no extensions)

I clicked each extension to see if there were any mentions of blocking content for the particular site I was having an issue with. Ghostery had an entry so I marked the site as trusted, reloaded the page, and the requests succeeded.

Thank you! I've also discovered the extension Project Insight which gives an overview of all extensions' permissions. addons.mozilla.org/en-US/firefox/addon/project-insight

My response headers had special characters which were causing an issue fixing that solved my problem.

this worked for me when my CORS works in all other browsers except Firefox with the error -> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at localhost:44304/v1/search. (Reason: CORS request did not succeed).

Same story for me today, essentially. Restarting Firefox fixed it. More than 5 years later.

in my case the Remote Address is going to 443 port with http request

Seems the scheme is expected, looking at the examples at w3.org/TR/cors but anyways thanks, I was doing the wrong thing too, and yes, the Firefox error message is lacking.

@awendt Oof. Privacy Badger for me also. Thanks.

@Hypenate: Thanks for the solution. It solved Firefox problem. But it is not working for any of the mobile browser. Could you please help me in solving this issue.

In my case I'd turned on Firefox Enhanced Tracking Protection, I then removed it for sites that I trusted (development sites) and it fixed the errors I was getting. Phew I thought we'd broken the site for Firefox :-/

In my case, after enabling XHR messages in the Firefox developer console, I saw the request was blocked by and addon. Indeed there was an exclamation mark on the facebook container plugin button. I had to "allow site in facebook container" to get it working. I have to say that my URL request was to facebook basic display API, hope it helps someone.

Can you update your answer to explain how you found the error and fixed it?

@RylanSchaeffer it was nearly eight years ago so I'm afraid I can't remember exactly how I worked it out...

thank you, I browse and trust the api domain on firefox, then the angular successfully send and receive without error