Am using TinyMCE editor in my website. It works well in Chrome but not in Firefox. When i check firefox console it says the following...
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at
http://www.example.com/VisualServe/siteadmin/js/tinymce/skins/lightgray/fonts/tinymce.woff.
This can be fixed by moving the resource to the same domain or
enabling CORS.
But i have the font files in the same domain only. i mean its all there in http://www.example.com/ only.
Can someone tell how to fix it ? Its happening only in Firefox. In chrome its working well.
Thanks,
Related
I have a client website that is managed by client team and post clicking on login it comes to the site which is managed by us. Till now, we were extracting the referer URL from the request header and using it to take further actions, but currently due to some changes in the Chrome browser and Edge browser policy we are unable to get the complete referer URL. It works fine in Firefox and Internet Explorer. This is probably because of the browser policy which is restricting the complete referer URL to be send when sec-fetch-site is cross-site. Please help me with some easy code level ways (Java/JSP/Javascript) to extract the complete URL. I tried exploring few links but none helped me resolving this.
Mozilla Firefox and Internet Explorer use a referrer policy called ‘no-referrer-when-downgrade’. Earlier Chrome also used the same policy but it has now shifted to ‘strict-origin-when-cross-origin’ which restricts the referrer URL to only include the domain of the URL.
The resolution to make it work it for Chrome browser as well is to set the policy to ‘no-referrer-when-downgrade’ in the page where your request begins from i.e. the initial page (which in your case is the client managed one), which will help send the complete details and the browser’s default policy won’t be applied. You may refer to below link for better understanding of these changed policies:
https://www.w3.org/TR/referrer-policy/
I am using the Application Insights JavaScript SDK on my website and Firefox is blocking the requests back to Azure. It is however working on Chrome.
The website is running on https and Application Insights works correctly on Chrome.
On the Console in Firefox I see the following warning:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://dc.services.visualstudio.com/v2/track. (Reason: CORS request did not succeed).
Why is Firefox identifying the request as a blocked CORS request, but Chrome doesn't?
I would like the Application Insights request to succeed from Firefox as well.
Did you installed an ad blocker extension (i.e. uBlock origin)?
If yes, try to disable it.
Couple of points to look at:
Which version are you using for AI. Try upgrading your package to latest one:
You can go ahead try adding the site to exception and see if it works, it could be because of the firefox exception too:
Firefox 'Cross-Origin Request Blocked' despite headers
Last and most importantly check the headers as mentioned by #Bergi in the comment to see if headers are same for both browser.
Additional reference: https://github.com/Microsoft/ApplicationInsights-node.js/issues/133
http://testingfreak.com/how-to-fix-cross-origin-request-security-cors-error-in-firefox-chrome-and-ie/
Hope it helps.
Trying to put a LinkedIn Follow button onto the site, it works fine in Firefox, but does not in Chrome with this error in Console:
The source list for Content Security Policy directive 'script-src'
contains an invalid source: ''report-sample''. It will be ignored.
Same problem on LinkedIn own Follow button generation page: https://developer.linkedin.com/plugins/follow-company
Same message in Console and nothing happens when button is clicked.
This happens only in Chrome currently (from browsers i've checked). Must be related to https://developers.google.com/web/fundamentals/security/csp/
#linkedin #chrome
I am seeing the same thing. There appears to be a CSP issue with their implementation. The response to the GET request that is initiated when you click the button has its X-Frame-Options header set to to sameorigin so the browser isn't evaluating the response.
I reported the issue with examples to LinkedIn and they said they would have an engineer take a look.
I have an addon for Firefox which modifies a page at http://target.com with data from http://data.com. It does this by making an XMLHttpRequest() in the addon javascript and modifying the webpage accordingly. Neither the target nor the source servers are under my control.
This all worked fine until the target.com website changed to using https. As I was loading data from an http: address I got the following error:
Blocked loading mixed active content
Fortunately data.com also supports https, so I changed the data lookup address to https://data.com, and then I got
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://data.com
I read here that I could add the following to my package.json
"permissions": {
"cross-domain-content": ["https://data.com"]
}
And now I don't get any errors, but the Developer Tools Network page doesn't show any connections being made.
Have I hit a dead end? I understand that CORS requires server support but I assumed that as it worked prior to the target server moving to https it would still work now.
Cheers
Rich
That is one of the issues with using libraries (and not Firefox API)
Try using the native Firefox API eg: Connecting to Remote Content
Native Firefox API runs in the browser scope so there is no CORS to consider.
I'm developing a Greasemonkey script that implements a couple of tools onto a webpage. This script makes a request for data from
http://localhost/chess/heartbeat.php
Now currently in Firefox I am getting this console error which totally stops my jQuery AJAX request for data.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
http://localhost/chess/heartbeat.php.
This can be fixed by moving the resource to the same domain or enabling CORS.
I am able to work around this using Google Chrome. When I have it as a simple browser extension for chrome, I'm able to have it do the same thing as Greasemonkey and I can add the following permissions to the manifest file for the plugin which allows me to make the same data request which Firefox blocked:
"permissions": [
"<all_urls>"
]
Anyway, this works on chrome, but I want to achieve the same effect on Firefox. I've been researching this issue and I can't find a simple answer.
Normally XMLHttpRquest, and that includes jQuery's higher-level API around it, does not allow unrestricted cross-site requests but is limited by the same-origin policy and CORS.
As #epascarello already pointed out, you may use GM.xmlHttpRequest which allows you to perform any cross-site XHR even when the server does not implement CORS or allows the origin site. It also comes with some other goodies.
You should add a #grant GM.xmlHttpRequest metadata block to your user script or your script may break in the future.
Since you mentioned Chrome extensions: Firefox extensions can perform cross-site XHR as well. e.g. most user scripts should be easily portable to an SDK add-on using PageMod and enabling certain permissions analog to what you'd do in a Chrome extension.