Firefox 'Cross-Origin Request Blocked' despite headers [closed]

I'm trying to make a simple cross-origin request, and Firefox is consistently blocking it with this error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [url]. This can be fixed by moving the resource to the same domain or enabling CORS. [url]

It works fine in Chrome and Safari.

As far as I can tell I've set all the correct headers on my PHP to allow this to work. Here's what my server is responding with

HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 17:15:20 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u8
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type
Access-Control-Request-Headers: X-Requested-With, accept, content-type
Vary: Accept-Encoding
Content-Length: 186
Content-Type: text/html

I've tried using Angular, jQuery, and a basic XMLHTTPRequest object, like so:

var data = "id=1234"
var request = new XMLHttpRequest({mozSystem: true})
request.onload = onSuccess;
request.open('GET', 'https://myurl.com' + '?' + data, true)
request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
request.send()

...and it works in every browser except Firefox. Can anyone help with this?


Turns out this has nothing to do with CORS- it was a problem with the security certificate. Misleading errors = 4 hours of headaches.


I came across this question having found requests in Firefox were being blocked with the message:

Reason: CORS request did not succeed

After pulling my hair out I found out that a newly installed Firefox extension, Privacy Badger, was blocking the requests.

If you come to this question after scratching your head, try checking to see what extensions you have installed to see if any of them are blocking requests.

See Reason: CORS request did not succeed on MDN for details.


I found that my problem was that the server I've sent the cross request to had a certificate that was not trusted.

If you want to connect to a cross domain with https, you have to add an exception for this certificate first.

You can do this by visiting the blocked link once and addibng the exception.