asked on
How can I resolve Firefox CORS security errors?
I'm trying to resolve a CORS issue. Firefox was updated to Firefox Developers Edition 95.0b12 and I'm suddenly confronted with two security errors;
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///Volumes//Current/Modules/Card/source/_css/main.css. (Reason: CORS request not http).
and
Security Error: Content at moz-nullprincipal:{481aa54d-8412-44b4-a56d-903c17f681a6} may not load or link to file:///Volumes/Current/Modules/Card/source/_css/fonts.css.
I've set the following Firefox variables to what seems to be the correct value.
privacy_file_unique_origin = false
content.cors.disable. = false
network.cors_preflight.allow_client_cert = true
These settings didn't solve the problem. Maybe one or more them are incorrect, or maybe there are other settings required. I'm not able to identify any additional Firefox variables that might possibly relate to the errors. The only other approach I'm thinking of, is to have our ISP set CORS headers on the server. This wasn't needed for previous FF versions.
I'm hoping a Firefox savvy expert can inform me of what's needed.
I probably should point out that the errors are generated by "same domain" local files during development in Sublime Text 3/Codekit 3/Firefox DE environment.
2) There's no reason to have an CORS policy for local files, which relates to all URIs you've posted above.
3) Fix: Turn off all server level CORS policy definitions.
Use protocol agnostic URLs.
So rather than https://foo.com/flarg.jpg or http://foo.com/flarg.jpg use a URI if /flarg.jpg with no protocol specifier.
This will also avoid both CORS problems + browser security blocks.
This also allows site to be renamed easily, as there's also no domain/host embedded in any URI.
ASKER
All HTML pathnames are relative; i.e., <link rel="stylesheet" href="./_css/main.css" crossorigin="anonymous">
Local File Security in Firefox 68
- In response to CVE-2019-11730, Firefox 68 and later define the origin of a page opened using a file:/// URI as unique. Therefore, other resources in the same directory or its subdirectories no longer satisfy the CORS same-origin rule. This new behavior is enabled by default using the privacy.file_unique_origin preference.
I thought changing the default value of privacy_file_unique_origin = false from true to false would fix the problem.
Thanks for your help.
ASKER
The error is triggered because your files are not http but direct path try to change the path for both using http
file:///Volumes//Current/Modules/Card/source/_css/main.css
to something like this
Open in new window