Why is this CORS request failing only in Firefox?
Solution 1
QUESTION: "Why is this CORS request failing only in Firefox?"
ANSWER: While unrelated to the OP's specific case, it may help you to know that Firefox does not trust CA's (certificate authorities) in the Windows Certificate Store by default, and this can result in failing CORS requests in Firefox (as was alluded to by Svish in the question comments).
To allow Firefox to trust CA's in the Windows Certificate Store:
- In Firefox, type
about:configin the address bar - If prompted, accept any warnings
- Right-click to create a new boolean value, and enter
security.enterprise_roots.enabledas the Name Set the value totrue - Then re-test the failing request
Answer source: https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store
Solution 2
Note that Firefox is the only browser that is compliant here. If parsing of Access-Control-Allow-Methods fails per https://fetch.spec.whatwg.org/#cors-preflight-fetch a network error needs to be returned. And per the ABNF for the header value it is most definitely a comma-separated value.
rq_
Updated on February 05, 2022Comments
-
rq_ over 2 years
I'm implementing CORS with credentials and a preflight request and I'm a bit mystified why the preflight request consistently fails in Firefox 30 but works in Safari (7.0.2) and Chrome 35. I think this issue is different from "Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?" because I am not getting a 401, but rather a CORS-specific message from the browser client:
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myurl.dev.com. This can be fixed by moving the resource to the same domain or enabling CORS."
Without showing source code, here's what I'm doing:
On the server:
Headers for OPTIONS response:
- Access-Control-Allow-Origin: [[copy origin from the request here]]
- Access-Control-Allow-Methods: "POST GET OPTIONS"
- Access-Control-Allow-Headers: "X-Requested-With"
- Access-Control-Allow-Credentials: "true"
Headers for POST response:
- Access-Control-Allow-Origin: [[copy origin from the request here]]
- Access-Control-Allow-Credentials: "true"
In the browser client:
jQuery.ajax({ url: requestUrl, type: 'POST', data: getData(), xhrFields: { withCredentials: true } });Per the spec, this will trigger a OPTIONS preflight request which needs to have the CORS headers in its response. I've read through the W3C spec several times and I can't identify what I'm doing wrong, if anything, in that preflight response.