10

I'm trying to enable CORS but I constantly have the same problem for each request sent from my AngularJS web app:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://.../... (Reason: CORS header 'Access-Control-Allow-Origin' missing).

And it only occurs with Firefox! It works perfectly with Chrome, Safari, IE and Edge.

Environment:

My API is a .NET Web Api 2.3 (.NET 4.6) hosted on Azure App Services (IIS 8.0).

My front app is a AngularJS webapp that I access via https and which consumes the API via https.

What I did: I have a Startup class which is declared as the startup entry point for Owin.

[assembly: OwinStartup(typeof(Startup))]
namespace SentinelleApi
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

            app.Map("/signalr", map =>
            {
                map.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
                var hubConfiguration = new HubConfiguration
                {
                    EnableDetailedErrors = true,
                    EnableJavaScriptProxies = false
                };
                map.RunSignalR(hubConfiguration);
            });

            HttpConfiguration config = new HttpConfiguration();
            WebApiConfig.Register(config);
            app.UseWebApi(config);
        }
    }
}

I have a WebApiConfig class which is declared as below:

namespace SentinelleApi
{
    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {    
            // No need to declare config.EnableCors() here, the app.UseCors(...) does the job in startup section
            // Web API routes
            config.MapHttpAttributeRoutes();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new {id = RouteParameter.Optional}
                );
        }
    }
}

I did not touch web.config to manually add headers (I tried, but it didn't solve my problem). Anyway, it's not recommended to add these headers in web.config and to have app.UseCors() at the same time.

So, on Firefox, I have the CORS error, but on Safari/Chrome, no problem!

I have the Access-Control-Allow-Origins everywhere except Firefox.

On Chrome:

chrome

On Firefox:

firefox

EDIT: Well, I've investigated a bit more, and if I switch my webapp address from https:// to http://, everything works fine on Firefox (also, my API can be consumed by Angular via https with no CORS problem at all) ...

I really don't understand what's going on, but magically, Access-Control-Allow-Origin appears on every API routes consumed by Firefox, which was not the case when it was a secure connection (https). I rely on https Azure certificate from Microsoft, which seems to be valid (the lock icon is green).

Of course, I would like to keep https, but I don't know how I can solve my issue.

Seems to be related to: Firefox CORS request giving 'Cross-Origin Request Blocked' despite headers

I've made a rewrite rule regarding the web app client (which hosts AngularJS). In my web.config, I have: 

    <rule name="RedirectToHTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        <add input="{URL}" pattern="/$" negate="true" />
        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
      </conditions>
      <action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="SeeOther" />
    </rule>

When I remove it, it's fine (my web app is accessible using HTTP), but when I switch to HTTPS, and even though the API server accept all origins, it fails.

So the question: Should I add something special to make HTTPS/Certificate works with CORS (under Firefox)?

Also related: https://stackoverflow.com/questions/33743645/iis-reverse-proxy-to-bypass-cors-issue

Community
  • 1
  • 1
  • Will your angular app be running in that same domain all the time? If so you can add that domain to < add name="Access-Control-Allow-Origin" value="http://yourdomain.com"/ >. – jsxsl Feb 02 '16 at 21:45
  • Indeed my Angular app is always on the same domain, but adding explictly its URL instead of * doesn't change –  Feb 02 '16 at 21:49
  • Have you tried removing the line: var cors = new EnableCorsAttribute("*", "*", "*"); – jsxsl Feb 02 '16 at 21:55
  • Yes, no change. And I've checked adding to the controller, not even better. In fact, I have no Access-Control-Allow-Origins header response when I call my API using REST Client (from Firefox or Chrome) –  Feb 02 '16 at 22:04
  • I would advise you to use Fiddler/Ethereal (or the likes, some hassle to set up with HTTPS but doable) to catch the real HTTP traffic. IIRC the browsers do not always display this information in developer tools. Verify the cause to be the browser (FF) not consuming the correctly send header (and file a bug report) or your server not sending the correct CORS headers. – Marvin Smit Feb 07 '16 at 09:27

4 Answers4

6

do you think you could be having this issue Firefox CORS request giving 'Cross-Origin Request Blocked' despite headers

Firefox uses a different certificate store from chrome/IO you can check the certificates under tools -> options -> advanced and then you have a button to view the ceritifcate store.

Community
  • 1
  • 1
Batavia
  • 2,497
  • 14
  • 16
  • It may be related yes, but I don't think the certificate is invalid or malformed, because I use the *azurewebsites.net domain which is associated to a valid https certificate signed from Microsoft. –  Feb 05 '16 at 10:33
  • But if you check the link you are trying to access over https in firefox. does firefox complain? – Batavia Feb 05 '16 at 11:29
  • No I don't have any alert from Firefox, it acknowledges the certificate as Chrome or Safari do –  Feb 05 '16 at 12:49
  • However, I managed to have the bug fixed temporarily, tweaking the Baltimore CyberTrust Root certificate, which "holds" the certificate delivered by Microsoft (Microsoft IT SSL SHA2). But I don't remember how I did it... I will check again –  Feb 05 '16 at 12:51
  • I think it's definitely a bug due to how Firefox manage certificates. Again, I don't have any issue with any other browsers –  Feb 05 '16 at 12:56
3

I was facing exactly the same problem, and the bug seems to be fixed on the new fresh version of Firefox - 45.0.0. Try to update and check it again. I'm gonna explain the issue to the users and guide them to do the upgrade as well.

Douglas
  • 46
  • 4
1

I was having this problem with a PHP script that would check for the 'Origin' request header, and add the 'Access-Control-Allow-Origin' response header if it matched what was expected.

In the end the problem was that firefox was sending the header as 'origin' (all lowercase), while my script was looking for the standard header 'Origin' (mixed case).

Fix was to add a handler for the all lowercase 'origin' request header.

Geoff Salmon
  • 81
  • 1
  • 6
  • 1
    Can you add some more details on how you added a handler for the lowercase 'origin' request headers? I have poked around a bit in IIS and I know where to add handlers, but I don't know the syntax beyond that. I am curious for IIS 7. – ejo4041 Oct 11 '16 at 13:04
  • I simply copied the mixed-case code block and changed the string to all lowercase. The same thing could be achieved with an 'or' in the control structure. – Geoff Salmon Feb 13 '17 at 22:17
1

What worked to me was to disable the Firefox protection against tracking option.

Alexis Rengifo
  • 113
  • 11