Firefox 'Cross-Origin Request Blocked' despite headers [closed]

javascript cors cross-domain firefox

I'm trying to make a simple cross-origin request, and Firefox is consistently blocking it with this error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [url]. This can be fixed by moving the resource to the same domain or enabling CORS. [url]

It works fine in Chrome and Safari.

As far as I can tell I've set all the correct headers on my PHP to allow this to work. Here's what my server is responding with 

HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 17:15:20 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u8
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type
Access-Control-Request-Headers: X-Requested-With, accept, content-type
Vary: Accept-Encoding
Content-Length: 186
Content-Type: text/html

I've tried using Angular, jQuery, and a basic XMLHTTPRequest object, like so:

var data = "id=1234"
var request = new XMLHttpRequest({mozSystem: true})
request.onload = onSuccess;
request.open('GET', 'https://myurl.com' + '?' + data, true)
request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
request.send()

...and it works in every browser except Firefox. Can anyone help with this?


Turns out this has nothing to do with CORS- it was a problem with the security certificate. Misleading errors = 4 hours of headaches.


I came across this question having found requests in Firefox were being blocked with the message:

Reason: CORS request did not succeed

After pulling my hair out I found out that a newly installed Firefox extension, Privacy Badger, was blocking the requests.

If you come to this question after scratching your head, try checking to see what extensions you have installed to see if any of them are blocking requests.

See Reason: CORS request did not succeed on MDN for details.


I found that my problem was that the server I've sent the cross request to had a certificate that was not trusted.

If you want to connect to a cross domain with https, you have to add an exception for this certificate first.

You can do this by visiting the blocked link once and addibng the exception.

Related

Can infinitely many primes lie over a prime?
How does induction fail in computable nonstandard models?
What is the meaning of evaluating the divergence at a _point_?
How to prove that homomorphism from field to ring is injective or zero? [duplicate]
Are there surprisingly identical binomial coefficients?
I could see them run towards the shop; I could see them running towards the shop [duplicate]
Predicative use of 'ongoing'
Have had or Have been
A subordinate clause beginning with "if"
Term for when someone falsely accuses you of doing to them what they are actually doing to you
Synonym for 'expression of character through posture and/or countenance'
What did Terry Pratchett mean by "avec"?