Forum Discussion
Cross-Origin Request Blocked
Apologises if some information is missing but my knowledge of BIG-IPs is limited at best.
Basically we have users trying to access some external sites that appear to be using CORS to display videos.
Our BIG-IPs are setup with proxy servers to use SWG filtering.
Users are trying to access the site using FireFox 60.4.0 ESR.
Looking through the debug console when trying to access the following page for example:
https://ga.vyond.com/videos/0t0c5lmtVSQ8?utm_source=linkshare&utm_medium=linkshare&utm_campaign=usercontent&ga=1
Will return:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://goanimate.zendesk.com/embeddable_blip?type=pageView&data=eyJwYWdlVmlldyI6eyJyZWZlcnJlciI6Imh0dHBzOi8vZ2EudnlvbmQuY29tL3ZpZGVvcy8wdDBjNWxtdFZTUTg%2FdXRtX3NvdXJjZT1saW5rc2hhcmUmdXRtX21lZGl1bT1saW5rc2hhcmUmdXRtX2NhbXBhaWduPXVzZXJjb250ZW50JmdhPTEiLCJ0aW1lIjoxMzMsIm5hdmlnYXRvckxhbmd1YWdlIjoiZW4tR0IiLCJwYWdlVGl0bGUiOiJIb3cgdG8gQ3JlYXRlIGEgQ29udGluZ2VudCBSZXF1aXNpdGlvbi0gQ0EgLSBUaGFsZXMuVW5pdmVyc2l0eSIsInVzZXJBZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IHJ2OjYwLjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvNjAuMCIsImhlbHBDZW50ZXJEZWR1cCI6ZmFsc2V9LCJidWlkIjoiZGJjYzU4NDEzNGJmMjgzODc4YWRjYmY4Y2M4ODc4NmYiLCJzdWlkIjoiY2U1ZjRmNjNjMWVlOTlmOWFlMTY3YTEyNDg4ZTNkNTkiLCJ2ZXJzaW9uIjoiMDZiYThkZGMzIiwidGltZXN0YW1wIjoiMjAxOS0wNi0yNlQxMDoxNjowOS44NDJaIiwidXJsIjoiaHR0cHM6Ly9nYS52eW9uZC5jb20vdmlkZW9zLzB0MGM1bG10VlNROD91dG1fc291cmNlPWxpbmtzaGFyZSZ1dG1fbWVkaXVtPWxpbmtzaGFyZSZ1dG1fY2FtcGFpZ249dXNlcmNvbnRlbnQmZ2E9MSJ9. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
We've tried testing access using the latest FireFox version so as to rule out an issue with the browser.
Using a proxy that bypasses the BIG-IP loads the video without issue so it's definitely something in our setup that causing the CORS errors.
Any suggestions on how to resolve this would be greatly appreciated.
- Andrew-F5Employee
Are you using ASM on the virtual server that is servicing these requests?
What software version are you running? 14.x or greater?
If you meet the conditions above you may be hitting a known bug,
Bug ID 746394: With ASM CORS set to 'Disabled' it strips all CORS headers in response.
Best,
Andrew
- J_P_Patinha-AydNimbostratus
It doesn't look like we have ASM so I don't think this applies.
Thanks for the reply though.
- jefryarchNimbostratus
The Same Origin Policy (SOP) is the policy browsers implement to prevent vulnerabilities via Cross Site Scripting (XSS). In other words, the browser would not allow any site to make a request to any other site. It would prevent different origins from interacting with each other through such requests, like AJAX. This policy exists because it is too easy to inject a link to a javascript file that is on a different domain. This is a security risk - you really only want code that comes from the site you are on to execute and not just any code that is out there.
The Cross Origin Resource Sharing (CORS) is one of the few techniques for relaxing the SOP. Because SOP is "on" by default, setting CORS at the server-side will allow a request to be sent to the server via an XMLHttpRequest even if the request was sent from a different domain. This becomes useful if your server was intended to serve requests from other domains (e.g. if you are providing an API).
JSON with Padding is just a way to circumvent same-origin policy, when CORS is not an option. This is risky and a bad practice. Avoid using this.
If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.
If you need to enable CORS on the server in case of localhost, you need to have the following on request header.
Access-Control-Allow-Origin: http://localhost:9999
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com