unable to view packages due to cors policy

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

TomDS 8 posts 99 karma points

Jul 28, 2020 @ 07:38

0

Unable to view packages due to CORS policy

When attempting to view packages. Developer -> Packages.

The request to load the packages is failing due to failing a CORS policy.

Access to XMLHttpRequest at 'https://our.umbraco.org/webapi/packages/v1' from origin 'https://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The issue is present across all of our environments.

I am unsure how to configure CORS to get around this.

Copy Link

David Armitage 508 posts 2078 karma points

Aug 01, 2020 @ 03:30

Hi Tom,

Check the web config. Have you got any strict security header in here. Maybe something similar to one of my client sites.

 <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="X-Frame-Options" />
        <remove name="X-Xss-Protection" />
        <remove name="X-Content-Type-Options" />
        <remove name="Content-Security-Policy" />
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-Xss-Protection" value="1; mode=block" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Content-Security-Policy" value="img-src 'self' data: *.google-analytics.com umbraco.tv *.umbraco.tv i.ytimg.com *.umbraco.org www.gravatar.com" />
        <add name="Referrer-Policy" value="strict-origin" />
        <add name="Feature-Policy" value="fullscreen 'none'; microphone 'none'" />
      </customHeaders>
    </httpProtocol>

It might be worth checking you down have anything like this in there. Probably compare what headers are used with Umbraco out of the box.

I think it should look something like this by default.

<httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
      </customHeaders>
    </httpProtocol>

Regards

David

Copy Link

TomDS 8 posts 99 karma points

Aug 11, 2020 @ 07:40

Hi David,

Currently Web.config contains the following which appears to have been in place for a long time prior to the package browser stopping working.

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <!-- force newest IE rendering engine -->
    <remove name="X-UA-Compatible" />
    <add name="X-UA-Compatible" value="IE=Edge" />
    <remove name="X-XSS-Protection" />
    <add name="X-XSS-Protection" value="1; mode=block" />
  </customHeaders>
</httpProtocol>

Copy Link

is working on a reply...

Please Sign in or register to post replies

Flag this post as spam?