Chromium/Brave has been blocked by CORS policy

controlling · January 9, 2019, 9:54am

Hi There,

using the sample code from

02-User-Profile build with docker via exec.sh

Works on Chrome, but not Brave (Chromium)

Brave is up to date
Version 0.58.18 Chromium: 71.0.3578.98 (Official Build) (64-bit)

Application settings:
Allowed Callback URLs:http://localhost:3000/callback
Allowed Web Origins:http://localhost:3000
Allowed Origins (CORS):http://localhost:3000

Error:
:3000/profile:1 Access to XMLHttpRequest at ‘https://xxxx.eu.auth0.com/userinfo’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: Redirect is not allowed for a preflight request.

James.Morrison · January 9, 2019, 2:10pm

Hey there @controlling, I wanted to reach out and see if you have third party cookies enabled in Brave (Chromium)? I ask this because you note that it works in Chrome but not another browser. Does it perform as expected in Firefox or Safari? Thanks for working with me as we troubleshoot what may be going on here.

controlling · January 9, 2019, 4:36pm

Hi James,
yes 3rd party cookies are disabled, if I enable everything works. Can I mitigate this by using a custom domain?

Firefox and Safari work.

Kind regards,
Markus

James.Morrison · January 9, 2019, 9:49pm

@controlling that is correct. To echo what is stated in our above Cross-Origin Authentication documentation:

Limitations of Cross-Origin Authentication

Because cross-origin authentication is achieved using third-party cookies, disabling third-party cookies will make cross-origin authentication fail.

There are two approaches you can follow to remediate the issue:

Enable a Custom Domain on your tenant and host your web application in a domain that has the same top level domain as your Auth0 custom domain. Example: Host your application at https://northwind.com and set your Auth0 custom domain as https://login.northwind.com . This way the cookies are no longer third-party (because both your Auth0 tenant and your application are using the same top level domain) and thus are not blocked by browsers.

Provide a Cross-Origin verification page that will make cross-origin authentication work in some browsers even with third-party cookies disabled (see the browser testing matrix below).

These issues are another reason why the more practical solution is to use Universal Login.

Please let me know if this helps you in your quest. Thanks!

James.Morrison · January 24, 2019, 1:49am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auth0 and app hosted under parent domain. Is it still 3rdparty cookie? Get Help sso , application , cross-origin-authentication , protocols	0	1753	December 2, 2022
Third party cookies disabled - Chrome - Custom Domain Implemented - Error Archived content login , custom-domain , cors , third-party	2	5496	August 26, 2019
Auth0 Login not working on the site when Third party cookies is disabled Get Help	1	3505	November 11, 2021
Troubles with username/password login in Safari with "Prevent cross-site tracking" option Get Help auth0 , login , cross-origin-authent	2	6452	December 5, 2020
Domain has been blocked by CORS policy: No 'Access-Control-Allow-Origin' Get Help cors	4	15960	April 29, 2021

Chromium/Brave has been blocked by CORS policy

Related topics