Error message "XMLHttpRequest access was blocked by CORS policy" during userinfo request via Oauth
search cancel

Error message "XMLHttpRequest access was blocked by CORS policy" during userinfo request via Oauth

book

Article ID: 274033

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Despite having defined the ACO parameter

allowed-origins=REPLICATE_ORIGIN

for CORS, when attempting a userinfo request via Oauth the following CORS error message is returned in the browser

XMLHttpRequest access to 'https://<sps_server>/affwebservices/CASSO/oidc/userinfo' from source 'https://<my_web_server>' was blocked by CORS policy: Preflight request response fails access control: 'Access-Control-Allow-Origin' header value in response must not be wildcard '*' when request credentials mode is 'include'. The credentials mode of requests initiated by XMLHttpRequest is controlled by the withCredentials attribute.
vendor-es2019.11d4dc3d264e74852a.js:1 error loading user info T {headers: d, status: 0, statusText: 'Unknown Error', url: 'https://<sps_server>/affwebservices/CASSO/oidc/userinfo', ok: false, ...}

 

Environment

CA SiteMinder 12.8 SP03 and later

Cause

This may be caused by having defined 

Header set Access-Control-Allow-Origin "*"

in the web server local httpd.conf and having enabled the CORS module there

Under these conditions the local * setting will override the setting passed by the ACO and this error may occur due to this setting conflicting with other CORS headers defined

 

Resolution

If the CORS ACO settings are defined, make sure there is no local CORS module enabled which may override them