CORS Configuration Issue in Firefox – Works in Chrome
Hi, I'm developing a website that needs to authenticate with an external endpoint. Once authenticated, the website receives a session cookie that it uses for subsequent … (čitajće wjace)
Hi,
I'm developing a website that needs to authenticate with an external endpoint. Once authenticated, the website receives a session cookie that it uses for subsequent API requests.
I've configured the CORS headers on both Apache and Nginx, but I can't get it to work in Firefox. Interestingly, the same setup works perfectly in Google Chrome.
Here's an example of the headers I receive using a curl call:
curl -X OPTIONS https://crlliria.moval.es/web/session/authenticate \ -H "Origin: https://gis.moval.es" \ -H "Access-Control-Request-Method: POST" -I -k
HTTP/1.1 204 No Content Server: nginx Date: Wed, 04 Dec 2024 10:23:24 GMT Connection: keep-alive Access-Control-Allow-Origin: https://gis.moval.es Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range Access-Control-Max-Age: 1728000 Content-Type: text/plain; charset=utf-8 Content-Length: 0
Despite these headers appearing correct, Firefox throws the following error:
"Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’."
I know the Access-Control-Allow-Origin value is not * (it's set to https://gis.moval.es), so this message might not reflect the real issue. However, I can't figure out how to debug it further.
Questions:
Is there anything specific about Firefox's handling of CORS and credentials that might cause this issue? Are there tools or techniques I can use to diagnose the actual problem? Could there be a subtle discrepancy in the request or response that Firefox is stricter about compared to Chrome? Any help or suggestions would be greatly appreciated!
Thanks in advance.