CORS errors on multiple sites appearing recently

maestroc

Well-Known Member
Aug 23, 2012
74
1
58
cPanel Access Level
Reseller Owner
I remember seeing something in a recent cpanel update about XSS hardening. Since that update two different clients have come to me recently with issues that seem to point to the same underlying error. I will detail both cases below and hopefully someone will be able to see the connecting problem. I'd like to know how to fix this, whether it be a problem in the website code or whether I can adjust something on these accounts to allow these products to continue to work properly.

Site 1- a magazine site using a plugin to display PDF content in a flipbook format

The site has worked fine for years but as recently as this last chain of Joomla and cpanel updates we get CORS errors. If a user follows a link to https://sitename.com/article with a PDF embedded in it using the viewer the PDF never finishes loading and in the console we see this error pop up:

Access to XMLHttpRequest at 'https://www.sitename.com/modules/mod_flipbookpremium/assets/js/libs/pdf.worker.min.js?ver=1.2.7' from origin 'ראשי' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If we try the same request by putting the www at the front of the URL (https://www.sitename.com/article) then it loads normally.

We have never had this issue until recently.

Site 2- a virtuemart store site running on Joomla

In this case we wanted to turn on a feature in VM's PayPal to allow us to accept PayPal Credit. Again, the site worked fine for years before, but when we turn on this credit option the one page checkout form starts throwing the same kind of CORS error:

Access to XMLHttpRequest at 'Log in to your account' (redirected from 'https://storesite.com/index.php?option=com_virtuemart&view=cart&vmtask=updatecartaddress') from origin 'https://storesite.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

Any ideas on if or how these two issues might be related? Is there anything I can do in cpanel to solve these without causing security issues? Or are these just coding mistakes that the vendors of these website plugins need to fix?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,753
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
This is just a quick low researched reply but you may want to try the htaccess fix in this thread.