Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • TomDS 6 posts 96 karma points
    Jul 28, 2020 @ 07:38
    TomDS
    0

    Unable to view packages due to CORS policy

    When attempting to view packages. Developer -> Packages.

    The request to load the packages is failing due to failing a CORS policy.

    Access to XMLHttpRequest at 'https://our.umbraco.org/webapi/packages/v1' from origin 'https://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

    The issue is present across all of our environments.

    I am unsure how to configure CORS to get around this.

    Copy Link
  • David Armitage 414 posts 1655 karma points
    Aug 01, 2020 @ 03:30
    David Armitage
    0

    Hi Tom,

    Check the web config. Have you got any strict security header in here. Maybe something similar to one of my client sites.

     <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="X-Frame-Options" />
        <remove name="X-Xss-Protection" />
        <remove name="X-Content-Type-Options" />
        <remove name="Content-Security-Policy" />
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-Xss-Protection" value="1; mode=block" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Content-Security-Policy" value="img-src 'self' data: *.google-analytics.com umbraco.tv *.umbraco.tv i.ytimg.com *.umbraco.org www.gravatar.com" />
        <add name="Referrer-Policy" value="strict-origin" />
        <add name="Feature-Policy" value="fullscreen 'none'; microphone 'none'" />
      </customHeaders>
    </httpProtocol>

    It might be worth checking you down have anything like this in there. Probably compare what headers are used with Umbraco out of the box.

    I think it should look something like this by default.

    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
      </customHeaders>
    </httpProtocol>

    Regards

    David

    Copy Link
  • TomDS 6 posts 96 karma points
    Aug 11, 2020 @ 07:40
    TomDS
    0

    Hi David,

    Currently Web.config contains the following which appears to have been in place for a long time prior to the package browser stopping working.

    <httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <!-- force newest IE rendering engine -->
    <remove name="X-UA-Compatible" />
    <add name="X-UA-Compatible" value="IE=Edge" />
    <remove name="X-XSS-Protection" />
    <add name="X-XSS-Protection" value="1; mode=block" />
  </customHeaders>
</httpProtocol>
    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies