Chromium/Brave has been blocked by CORS policy

Hi There,

using the sample code from

02-User-Profile build with docker via exec.sh

Works on Chrome, but not Brave (Chromium)

Brave is up to date
Version 0.58.18 Chromium: 71.0.3578.98 (Official Build) (64-bit)

Application settings:
Allowed Callback URLs:http://localhost:3000/callback
Allowed Web Origins:http://localhost:3000
Allowed Origins (CORS):http://localhost:3000

Error:
:3000/profile:1 Access to XMLHttpRequest at ‘https://xxxx.eu.auth0.com/userinfo’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: Redirect is not allowed for a preflight request.

Hey there @controlling, I wanted to reach out and see if you have third party cookies enabled in Brave (Chromium)? I ask this because you note that it works in Chrome but not another browser. Does it perform as expected in Firefox or Safari? Thanks for working with me as we troubleshoot what may be going on here.

Hi James,
yes 3rd party cookies are disabled, if I enable everything works. Can I mitigate this by using a custom domain?

Firefox and Safari work.

Kind regards,
Markus

@controlling that is correct. To echo what is stated in our above Cross-Origin Authentication documentation:

Limitations of Cross-Origin Authentication

Because cross-origin authentication is achieved using third-party cookies, disabling third-party cookies will make cross-origin authentication fail.

There are two approaches you can follow to remediate the issue:

  • Enable a Custom Domain on your tenant and host your web application in a domain that has the same top level domain as your Auth0 custom domain. Example: Host your application at https://northwind.com and set your Auth0 custom domain as https://login.northwind.com . This way the cookies are no longer third-party (because both your Auth0 tenant and your application are using the same top level domain) and thus are not blocked by browsers.
  • Provide a Cross-Origin verification page that will make cross-origin authentication work in some browsers even with third-party cookies disabled (see the browser testing matrix below).

These issues are another reason why the more practical solution is to use Universal Login.

Please let me know if this helps you in your quest. Thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.