Why is this cross site XHR request blocked?
Using Firefox 83.0 on Windows 7 and Windows 10, no plugins or extensions installed.
- I open a HTML page on server https://secure...
- The page successfully loads lots of scripts and other resources from server https://deimos...
- When using an XHR request to access an ODATA resource on https://deimos... the request is marked as "blocked" in DevTools, see screenshot
- When hovering the "blocked" icon in the console, "blocked by DevTools" is displayed
- The page works fine in Chromium based browsers (tested Edge, Chrome, Firefox)
- The page works fine if it is hosted on https://deimos... instead of https://secure... (that's why I assume that it is some Cross-Origin issue)
- The server provides Access-Control-* headers, see screenshot. The headers provided for the blocked XHR request are the same if I check them in the chromium based browsers.
- There is no sign (like a pre-flight OPTIONS request) of the blocked request in the web server logs
- Only requestr which use credentials are blocked. Other XHR-requests without credentials (like the one following the blocked request on the screenshot) seem to succeed.
I played around with the "Content-Security-Policy" meta tag in the document, with no success. For requests blocked by this policy, DevTools explicitly displayed the Content Security Policy as the reason for blocking the request.
I found lots of posts on the net concerning the Access-Control-Allow-Credentials header, also I found that for requests with credentials the Access-Control-Allow-Origin header must not return "*". IMHO those are correctly provided by my server.
Any idea of what is going wrong here? I can provide the link to access the page in a personal mail...
Kind regards Ted