“CORS header ‘Access-Control-Allow-Origin’ does not match”, incorrect “Access-Control-Allow-Origin” in Response Header

▼魔方 西西 提交于 2020-07-19 18:10:38

问题


We have a multi-tenant web application hosted on IIS with two headers (SiteA and SiteB). The application uses Autodesk Forge Viewer on the client side. Everything was working fine until last week which this started happening: when browsing the application with url "http://www.siteA.com" it works fine. now if we browse same application using url "http://www.siteB.com" in another tab the viewer does not load and we have two errors in the debug:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://developer.api.autodesk.com/viewingservice/v1/viewers/6.2.3/lmvworker.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘http://www.siteA.com’).

and

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://developer.api.autodesk.com/viewingservice/v1/viewers/6.2.3/res/locales/en/allstrings.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘http://www.siteA.com’).

as the error suggests although the Origin in the Request header of the call is "http://www.siteB.com" the returning "Access-Control-Allow-Origin" in the response header is "http://www.siteA.com" !

now if someone else (or using another browser) we do the same but other way (first site B then A) we have site B working fine but site A giving the error with wrong response header.

Has anyone ever had such problem? is this a CDN cache issue with any possible Autodesk Forge CDN servers updated? Any help to guide me in the right direction will be appreciated.

Thanks


回答1:


I am experiencing the exact same behaviour. In our case it are 2 different sites with 2 complete different domains.

We are using these url's for loading script and CSS

https://developer.api.autodesk.com/modelderivative/v2/viewers/7.*/viewer3D.min.js https://developer.api.autodesk.com/modelderivative/v2/viewers/7.*/style.min.css

I have tested it in the latest Chrome / Firefox and in both browsers I get the error.

What I did:

  • Visit site A => Everything works fine
  • Visit site B => Not working
  • Reset cache on site B => Everythings works
  • Visit site A => Not working

So the first site which loads the scripts from the CDN is the 'Winner' and that site works as expected.

I've tested it also by visiting: https://sample-collection.s3.amazonaws.com/advanced.html

After that I opened my development website and got this error:

Access to XMLHttpRequest at 'https://developer.api.autodesk.com/modelderivative/v2/viewers/7.*/lmvworker.min.js' from origin 'https://dev-bdh-project-sharing-management.bdh.nl' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://sample-collection.s3.amazonaws.com' that is not equal to the supplied origin.




回答2:


As is suggested in the comments above - always use the below CDN URL to load Viewer:

https://developer.api.autodesk.com/modelderivative/v2/viewers/style.min.css?v=v7.*

The other address is not recommended per our officially documentation.



来源:https://stackoverflow.com/questions/62162175/cors-header-access-control-allow-origin-does-not-match-incorrect-access-co

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!