RE: CORS, Azure, Chrome desktop and mobile

[Adrian Halid]

http://jeffmcmahan.info/blog/firewall-causes-cors-to-fail/

 

The comments in this post suggest using TSL/SSL. The firewall can’t mess with 
your headers.

 

Regards

 

Adrian Halid 

 

From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On 
Behalf Of David Burstin
Sent: Tuesday, 13 October 2015 2:08 PM
To: Thomas Koster <tkos...@gmail.com>
Cc: ozDotNet <ozdotnet@ozdotnet.com>
Subject: Re: CORS, Azure, Chrome desktop and mobile

 

Firstly, thanks again to everyone who has taken the time to look at this.

 

Yes, it turns out that it is a firewall issue. :(

 

So, given that having a web page talk to a web service at a different origin is 
not a crazy or unusual situation, how do you guys deal with this? How do you 
make the web page work, given that you can't go to everyone who looks at your 
site and ask them to change their firewall rules, no matter how dumb they are 
(the firewall rules and the people you are talking to)?

 

Or is it just not possible?

 

Cheers

Dave

 

On 13 October 2015 at 16:53, Thomas Koster <tkos...@gmail.com 
<mailto:tkos...@gmail.com> > wrote:

On 13 October 2015 at 15:39, David Burstin <david.burs...@gmail.com 
<mailto:david.burs...@gmail.com> > wrote:
> My response headers don't have "Access-Control-Allow-Origin". Any ideas
> why? (I am about to hit google)

On 13 October 2015 at 16:11, Thomas Koster <tkos...@gmail.com 
<mailto:tkos...@gmail.com> > wrote:
> Are you using a proxy, firewall or browser plugin that is removing them?
> If you suspect this, try HTTPS (although a browser plugin can still bite
> you).

On 13 October 2015 at 16:15, David Burstin <david.burs...@gmail.com 
<mailto:david.burs...@gmail.com> > wrote:
> Thanks Thomas. Definitely not a plugin, possibly a proxy or firewall issue.
> I will talk to the guys here who know more about this than me.

At first, looking at your screenshot, I didn't think that a proxy or
firewall was removing headers because outgoing headers look fine and
rubbish headers like "X-Powered-By" did make it through. (Why include
"X-Powered-By" on a whitelist but not CORS headers?!). But then I
noticed that "X-AspNet-Version" is also missing from your
screenshot...

--
Thomas Koster