We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

CORS Configuration Issue in Firefox – Works in Chrome

more options

Hi,

I'm developing a website that needs to authenticate with an external endpoint. Once authenticated, the website receives a session cookie that it uses for subsequent API requests.

I've configured the CORS headers on both Apache and Nginx, but I can't get it to work in Firefox. Interestingly, the same setup works perfectly in Google Chrome.

Here's an example of the headers I receive using a curl call:

curl -X OPTIONS https://crlliria.moval.es/web/session/authenticate \ -H "Origin: https://gis.moval.es" \ -H "Access-Control-Request-Method: POST" -I -k

HTTP/1.1 204 No Content Server: nginx Date: Wed, 04 Dec 2024 10:23:24 GMT Connection: keep-alive Access-Control-Allow-Origin: https://gis.moval.es Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range Access-Control-Max-Age: 1728000 Content-Type: text/plain; charset=utf-8 Content-Length: 0

Despite these headers appearing correct, Firefox throws the following error:

"Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’."

I know the Access-Control-Allow-Origin value is not * (it's set to https://gis.moval.es), so this message might not reflect the real issue. However, I can't figure out how to debug it further.

Questions:

Is there anything specific about Firefox's handling of CORS and credentials that might cause this issue? Are there tools or techniques I can use to diagnose the actual problem? Could there be a subtle discrepancy in the request or response that Firefox is stricter about compared to Chrome? Any help or suggestions would be greatly appreciated!

Thanks in advance.

Hi, I'm developing a website that needs to authenticate with an external endpoint. Once authenticated, the website receives a session cookie that it uses for subsequent API requests. I've configured the CORS headers on both Apache and Nginx, but I can't get it to work in Firefox. Interestingly, the same setup works perfectly in Google Chrome. Here's an example of the headers I receive using a curl call: curl -X OPTIONS https://crlliria.moval.es/web/session/authenticate \ -H "Origin: https://gis.moval.es" \ -H "Access-Control-Request-Method: POST" -I -k HTTP/1.1 204 No Content Server: nginx Date: Wed, 04 Dec 2024 10:23:24 GMT Connection: keep-alive Access-Control-Allow-Origin: https://gis.moval.es Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range Access-Control-Max-Age: 1728000 Content-Type: text/plain; charset=utf-8 Content-Length: 0 Despite these headers appearing correct, Firefox throws the following error: "Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’." I know the Access-Control-Allow-Origin value is not * (it's set to https://gis.moval.es), so this message might not reflect the real issue. However, I can't figure out how to debug it further. Questions: Is there anything specific about Firefox's handling of CORS and credentials that might cause this issue? Are there tools or techniques I can use to diagnose the actual problem? Could there be a subtle discrepancy in the request or response that Firefox is stricter about compared to Chrome? Any help or suggestions would be greatly appreciated! Thanks in advance.
附加的畫面擷圖

所有回覆 (1)

more options

Hi Salvador Sánchez Aroca!

It sounds like you're facing a frustrating issue with CORS and authentication in Firefox. Let’s see if we can troubleshoot this together.

Cross-Origin Credentials Rule: Firefox is stricter compared to Chrome when it comes to handling CORS with credentials. Even though you have Access-Control-Allow-Origin set correctly, make sure that both the request and response are handling credentials properly. For Access-Control-Allow-Credentials to be true, you need to ensure that Access-Control-Allow-Origin is not set to * — which appears to be correct in your case.

Check Preflight Requests: Since you’re using POST, ensure your server correctly responds to the preflight OPTIONS request. Review the headers returned in response to the OPTIONS request to confirm they match your expectations.

Use Firefox Debugging Tools: The Firefox Developer Tools can help you analyze network requests. Look at the "Network" tab to check the headers for both your OPTIONS and POST requests. This may reveal if any headers are missing.

CORS and Path Matching: Check if there’s any mismatch between your origin (the referring domain) and the headers set on your server. Sometimes, discrepancies in subdomain or trailing slashes can cause issues.

Browser Cache: Clear your browser cache, as old response headers might affect new requests. Test with Different Origins: If possible, try testing with a simpler setup to see if it’s an issue with your specific domain configuration. This can help isolate the problem.

If the issue persists, consider setting up a minimal example or using tools like Postman or Insomnia to replicate the request. This can help determine if it’s a browser-specific issue or a problem with your server setup.

I hope this helps, and best of luck with your project! Cheers!

有幫助嗎?

問個問題

如果您還沒有帳號,您必須先登入帳號 來回覆文章。還沒有帳號的話,只能發問新問題