Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • TomDS 5 posts 95 karma points
    6 days ago
    TomDS
    0

    Unable to view packages due to CORS policy

    When attempting to view packages. Developer -> Packages.

    The request to load the packages is failing due to failing a CORS policy.

    Access to XMLHttpRequest at 'https://our.umbraco.org/webapi/packages/v1' from origin 'https://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

    The issue is present across all of our environments.

    I am unsure how to configure CORS to get around this.

  • David Armitage 314 posts 1239 karma points
    2 days ago
    David Armitage
    0

    Hi Tom,

    Check the web config. Have you got any strict security header in here. Maybe something similar to one of my client sites.

     <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
            <remove name="X-Frame-Options" />
            <remove name="X-Xss-Protection" />
            <remove name="X-Content-Type-Options" />
            <remove name="Content-Security-Policy" />
            <add name="X-Frame-Options" value="SAMEORIGIN" />
            <add name="X-Xss-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <add name="Content-Security-Policy" value="img-src 'self' data: *.google-analytics.com umbraco.tv *.umbraco.tv i.ytimg.com *.umbraco.org www.gravatar.com" />
            <add name="Referrer-Policy" value="strict-origin" />
            <add name="Feature-Policy" value="fullscreen 'none'; microphone 'none'" />
          </customHeaders>
        </httpProtocol>
    

    It might be worth checking you down have anything like this in there. Probably compare what headers are used with Umbraco out of the box.

    I think it should look something like this by default.

    <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By"/>
          </customHeaders>
        </httpProtocol>
    

    Regards

    David

Please Sign in or register to post replies

Write your reply to:

Draft