Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • TomDS 8 posts 99 karma points
    Jul 28, 2020 @ 07:38
    TomDS
    0

    Unable to view packages due to CORS policy

    When attempting to view packages. Developer -> Packages.

    The request to load the packages is failing due to failing a CORS policy.

    Access to XMLHttpRequest at 'https://our.umbraco.org/webapi/packages/v1' from origin 'https://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

    The issue is present across all of our environments.

    I am unsure how to configure CORS to get around this.

  • David Armitage 510 posts 2081 karma points
    Aug 01, 2020 @ 03:30
    David Armitage
    0

    Hi Tom,

    Check the web config. Have you got any strict security header in here. Maybe something similar to one of my client sites.

     <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
            <remove name="X-Frame-Options" />
            <remove name="X-Xss-Protection" />
            <remove name="X-Content-Type-Options" />
            <remove name="Content-Security-Policy" />
            <add name="X-Frame-Options" value="SAMEORIGIN" />
            <add name="X-Xss-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <add name="Content-Security-Policy" value="img-src 'self' data: *.google-analytics.com umbraco.tv *.umbraco.tv i.ytimg.com *.umbraco.org www.gravatar.com" />
            <add name="Referrer-Policy" value="strict-origin" />
            <add name="Feature-Policy" value="fullscreen 'none'; microphone 'none'" />
          </customHeaders>
        </httpProtocol>
    

    It might be worth checking you down have anything like this in there. Probably compare what headers are used with Umbraco out of the box.

    I think it should look something like this by default.

    <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By"/>
          </customHeaders>
        </httpProtocol>
    

    Regards

    David

  • TomDS 8 posts 99 karma points
    Aug 11, 2020 @ 07:40
    TomDS
    0

    Hi David,

    Currently Web.config contains the following which appears to have been in place for a long time prior to the package browser stopping working.

    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <!-- force newest IE rendering engine -->
        <remove name="X-UA-Compatible" />
        <add name="X-UA-Compatible" value="IE=Edge" />
        <remove name="X-XSS-Protection" />
        <add name="X-XSS-Protection" value="1; mode=block" />
      </customHeaders>
    </httpProtocol>
    
Please Sign in or register to post replies

Write your reply to:

Draft