Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • TomDS 8 posts 99 karma points
    Jul 28, 2020 @ 07:38
    TomDS
    0

    Unable to view packages due to CORS policy

    Using Umbraco And Getting Started
    Umbraco 7

    When attempting to view packages. Developer -> Packages.

    The request to load the packages is failing due to failing a CORS policy.

    Access to XMLHttpRequest at 'https://our.umbraco.org/webapi/packages/v1' from origin 'https://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

    The issue is present across all of our environments.

    I am unsure how to configure CORS to get around this.

    Copy Link
  • David Armitage 505 posts 2073 karma points
    Aug 01, 2020 @ 03:30
    David Armitage
    0

    Hi Tom,

    Check the web config. Have you got any strict security header in here. Maybe something similar to one of my client sites.

     <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="X-Frame-Options" />
        <remove name="X-Xss-Protection" />
        <remove name="X-Content-Type-Options" />
        <remove name="Content-Security-Policy" />
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-Xss-Protection" value="1; mode=block" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Content-Security-Policy" value="img-src 'self' data: *.google-analytics.com umbraco.tv *.umbraco.tv i.ytimg.com *.umbraco.org www.gravatar.com" />
        <add name="Referrer-Policy" value="strict-origin" />
        <add name="Feature-Policy" value="fullscreen 'none'; microphone 'none'" />
      </customHeaders>
    </httpProtocol>

    It might be worth checking you down have anything like this in there. Probably compare what headers are used with Umbraco out of the box.

    I think it should look something like this by default.

    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
      </customHeaders>
    </httpProtocol>

    Regards

    David

    Copy Link
  • TomDS 8 posts 99 karma points
    Aug 11, 2020 @ 07:40
    TomDS
    0

    Hi David,

    Currently Web.config contains the following which appears to have been in place for a long time prior to the package browser stopping working.

    <httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <!-- force newest IE rendering engine -->
    <remove name="X-UA-Compatible" />
    <add name="X-UA-Compatible" value="IE=Edge" />
    <remove name="X-XSS-Protection" />
    <add name="X-XSS-Protection" value="1; mode=block" />
  </customHeaders>
</httpProtocol>
    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft