Funkcionalnosć toś togo sedła se pśez wótwardowańske źěła wobgranicujo, kótarež maju wašo dožywjenje pólěpšyś. Jolic nastawk waš problem njerozwězujo a cośo pšašanje stajiś, wobrośćo se na našo zgromoźeństwo pomocy, kótarež na to caka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomagaś.

Pomoc pśepytaś

Glědajśo se wobšudy pomocy. Njenapominajomy was nigda, telefonowy numer zawołaś, SMS pósłaś abo wósobinske informacije pśeraźiś. Pšosym dajśo suspektnu aktiwitu z pomocu nastajenja „Znjewužywanje k wěsći daś“ k wěsći.

Dalšne informacije

CORS Configuration Issue in Firefox – Works in Chrome

  • 1 wótegrono
  • 0 ma toś ten problem
  • 7 naglědow
  • Slědne wótegrono wót Draven Locke

more options

Hi,

I'm developing a website that needs to authenticate with an external endpoint. Once authenticated, the website receives a session cookie that it uses for subsequent API requests.

I've configured the CORS headers on both Apache and Nginx, but I can't get it to work in Firefox. Interestingly, the same setup works perfectly in Google Chrome.

Here's an example of the headers I receive using a curl call:

curl -X OPTIONS https://crlliria.moval.es/web/session/authenticate \ -H "Origin: https://gis.moval.es" \ -H "Access-Control-Request-Method: POST" -I -k

HTTP/1.1 204 No Content Server: nginx Date: Wed, 04 Dec 2024 10:23:24 GMT Connection: keep-alive Access-Control-Allow-Origin: https://gis.moval.es Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range Access-Control-Max-Age: 1728000 Content-Type: text/plain; charset=utf-8 Content-Length: 0

Despite these headers appearing correct, Firefox throws the following error:

"Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’."

I know the Access-Control-Allow-Origin value is not * (it's set to https://gis.moval.es), so this message might not reflect the real issue. However, I can't figure out how to debug it further.

Questions:

Is there anything specific about Firefox's handling of CORS and credentials that might cause this issue? Are there tools or techniques I can use to diagnose the actual problem? Could there be a subtle discrepancy in the request or response that Firefox is stricter about compared to Chrome? Any help or suggestions would be greatly appreciated!

Thanks in advance.

Hi, I'm developing a website that needs to authenticate with an external endpoint. Once authenticated, the website receives a session cookie that it uses for subsequent API requests. I've configured the CORS headers on both Apache and Nginx, but I can't get it to work in Firefox. Interestingly, the same setup works perfectly in Google Chrome. Here's an example of the headers I receive using a curl call: curl -X OPTIONS https://crlliria.moval.es/web/session/authenticate \ -H "Origin: https://gis.moval.es" \ -H "Access-Control-Request-Method: POST" -I -k HTTP/1.1 204 No Content Server: nginx Date: Wed, 04 Dec 2024 10:23:24 GMT Connection: keep-alive Access-Control-Allow-Origin: https://gis.moval.es Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range Access-Control-Max-Age: 1728000 Content-Type: text/plain; charset=utf-8 Content-Length: 0 Despite these headers appearing correct, Firefox throws the following error: "Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’." I know the Access-Control-Allow-Origin value is not * (it's set to https://gis.moval.es), so this message might not reflect the real issue. However, I can't figure out how to debug it further. Questions: Is there anything specific about Firefox's handling of CORS and credentials that might cause this issue? Are there tools or techniques I can use to diagnose the actual problem? Could there be a subtle discrepancy in the request or response that Firefox is stricter about compared to Chrome? Any help or suggestions would be greatly appreciated! Thanks in advance.
Pśipowjesone fota wobrazowki

Wšykne wótegrona (1)

more options

Hi Salvador Sánchez Aroca!

It sounds like you're facing a frustrating issue with CORS and authentication in Firefox. Let’s see if we can troubleshoot this together.

Cross-Origin Credentials Rule: Firefox is stricter compared to Chrome when it comes to handling CORS with credentials. Even though you have Access-Control-Allow-Origin set correctly, make sure that both the request and response are handling credentials properly. For Access-Control-Allow-Credentials to be true, you need to ensure that Access-Control-Allow-Origin is not set to * — which appears to be correct in your case.

Check Preflight Requests: Since you’re using POST, ensure your server correctly responds to the preflight OPTIONS request. Review the headers returned in response to the OPTIONS request to confirm they match your expectations.

Use Firefox Debugging Tools: The Firefox Developer Tools can help you analyze network requests. Look at the "Network" tab to check the headers for both your OPTIONS and POST requests. This may reveal if any headers are missing.

CORS and Path Matching: Check if there’s any mismatch between your origin (the referring domain) and the headers set on your server. Sometimes, discrepancies in subdomain or trailing slashes can cause issues.

Browser Cache: Clear your browser cache, as old response headers might affect new requests. Test with Different Origins: If possible, try testing with a simpler setup to see if it’s an issue with your specific domain configuration. This can help isolate the problem.

If the issue persists, consider setting up a minimal example or using tools like Postman or Insomnia to replicate the request. This can help determine if it’s a browser-specific issue or a problem with your server setup.

I hope this helps, and best of luck with your project! Cheers!

Wužytny?

Stajśo pšašanje

Musyśo se pla swójogo konta pśizjawiś, aby na pśinoski wótegronił. Pšosym stajśo pšašanje, jolic hyšći njamaśo wužywaŕske konto.