Using Firefox 83.0 on Windows 7 and Windows 10, no plugins or extensions installed. * I open a HTML page on server https://secure... * The page successfully loads lots of scripts and other resources from server https://deimos... * When using an XHR request to access an ODATA resource on https://deimos... the request is marked as "blocked" in DevTools, see screenshot * When hovering the "blocked" icon in the console, "blocked by DevTools" is displayed * The page works fine in Chromium based browsers (tested Edge, Chrome, Firefox) * The page works fine if it is hosted on https://deimos... instead of https://secure... (that's why I assume that it is some Cross-Origin issue) * The server provides Access-Control-* headers, see screenshot. The headers provided for the blocked XHR request are the same if I check them in the chromium based browsers. * There is no sign (like a pre-flight OPTIONS request) of the blocked request in the web server logs * Only requestr which use credentials are blocked. Other XHR-requests without credentials (like the one following the blocked request on the screenshot) seem to succeed. I played around with the "Content-Security-Policy" meta tag in the document, with no success. For requests blocked by this policy, DevTools explicitly displayed the Content Security Policy as the reason for blocking the request. I found lots of posts on the net concerning the Access-Control-Allow-Credentials header, also I found that for requests with credentials the Access-Control-Allow-Origin header must not return "*". IMHO those are correctly provided by my server. Any idea of what is going wrong here? I can provide the link to access the page in a personal mail... Kind regards Ted