Hi! I have run into multiple CORS errors since the release of 10.2.2. All subdomains of the LMS should be accepted, but I’m having trouble with all MFA’s. I have configured all MFA’s to use a subdomain of tutor. In this case it is local.overhang.io and the MFA is located at tfp.local.overhang.io
To be able to access http://local.overhang.io/login_refresh to receive an JWT-cookie I need to add the following to openedx-common-settings:
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = “http://{{TFP_HOST}}”
TFP_HOST is tfp.local.overhang.io
This produces the following headers:
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 12 Oct 2020 17:13:52 GMT
Content-Type: application/json
Content-Length: 14
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://tfp.local.overhang.io
Content-Language: en
Vary: Accept-Language, Origin, Cookie
Which means I can log in and use the service as expected. However, the MFA relies on content from the rest-api, but accessing the rest-api produces these headers:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Oct 2020 17:22:19 GMT
Content-Type: application/json
Content-Length: 81
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: http://tfp.local.overhang.io
Access-Control-Allow-Credentials: true
Allow: GET, HEAD, OPTIONS
Content-Language: en
Vary: Accept-Language, Origin, Cookie
Access-Control-Allow-Origin: http://tfp.local.overhang.io
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with, use-jwt-cookie
Access-Control-Max-Age: 86400
The interesting part is:
Access-Control-Allow-Origin: http://tfp.local.overhang.io &
Access-Control-Allow-Credentials: true
Because they appear twice in the header file, they are blocked by cors. This is the error:
Access to XMLHttpRequest at ‘http://local.overhang.io/api/courses/v1/courses/?page=1&page_size=10&limit=10&fields=uuid,id,key,key_for_reruns,title,modified,editors,course_run_statuses,course_runs,image,short_description,full_description,start,seats,min_effort,max_effort,estimated_hours,status&editable=1&exclude_utm=1’ from origin ‘http://tfp.local.overhang.io’ has been blocked by CORS policy: The ‘Access-Control-Allow-Origin’ header contains multiple values ‘http://tfp.local.overhang.io, http://tfp.local.overhang.io’, but only one is allowed.
By removing the following code from the ‘cors-patch’, everything works as normal. Because you are not relying on NGINX for cors-handling
Blockquote # CORS configuration
add_header ‘Access-Control-Allow-Origin’ ‘$allow_origin’;
add_header ‘Access-Control-Allow-Credentials’ ‘true’;
sampled from edx.org
add_header ‘Access-Control-Allow-Headers’ ‘accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with, use-jwt-cookie’;
add_header ‘Access-Control-Max-Age’ 86400;
I have tried leaving all settings blank to let NGINX handle everything, but that did not work for me.
Has anyone else run into similar issues? All help is greatly appreciated!
Regards