CORS errors on multiple sites just appearing recently

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
maestroc
Joomla! Explorer
Joomla! Explorer
Posts: 402
Joined: Sun Dec 04, 2005 7:27 pm
Contact:

CORS errors on multiple sites just appearing recently

Post by maestroc » Wed May 13, 2020 4:34 pm

Two different clients have come to me recently with issues that seem to point to the same underlying error. I will detail both cases below and hopefully someone will be able to see the connecting problem.

Site 1- a magazine site using PayPlans for subscription content and a module named Flipbook Premium to display PDF files inside K2 articles.

The site has worked fine for years but as recently as this last chain of Joomla and component updates we get CORS errors. If a user follows a link to https://sitename.com/article the PDF never finishes loading and in the console we see this error pop up:

Code: Select all

Access to XMLHttpRequest at 'https://www.sitename.com/modules/mod_flipbookpremium/assets/js/libs/pdf.worker.min.js?ver=1.2.7' from origin 'https://sitename.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
If we try the same request by putting the www at the front of the URL (https://www.sitename.com/article) then it loads normally.

We have never had this issue until recently.

Site 2- a virtuemart store site using the JoomlaPro One Page Checkout plugin and PayPal for payment processing


In this case we wanted to turn on a feature in VM's PayPal to allow us to accept PayPal Credit. Again, the site worked fine for years before, but when we turn on this credit option the one page checkout form starts throwing the same kind of CORS error:

Code: Select all

Access to XMLHttpRequest at 'https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-2E584443NW736744U' (redirected from 'https://storesite.com/index.php?option=com_virtuemart&view=cart&vmtask=updatecartaddress') from origin 'https://storesite.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
Any ideas on if or how these two issues might be related?

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22841
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: CORS errors on multiple sites just appearing recently

Post by pe7er » Wed May 13, 2020 7:56 pm

The https of your server (or your Joomla site) has been hardened.
It has been protected against Cross Site Scripting (XSS) attacks.
A server can send some information in the HTTP headers about e.g. which external sources can be trusted.

Apparently you are using scripts from other resources and the Content Security Policy (CSP) of your site/server is not set up correctly.

In your case you should check how the HTTP headers are set, and maybe allow those external scripts (if you trust them).

More info about the Content Security Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
The best website: https://the-best-website.com

maestroc
Joomla! Explorer
Joomla! Explorer
Posts: 402
Joined: Sun Dec 04, 2005 7:27 pm
Contact:

Re: CORS errors on multiple sites just appearing recently

Post by maestroc » Thu May 14, 2020 12:30 am

Sorry to ask, but that doc you linked to seems to be a bit above my comfort level, lol. How would I go about crafting an exception to solve that problem I have with Site 2 above for example? Are there tutorials for that kind of thing? I did a basic google search for it but either I must not be phrasing things right in the query because I am not finding anything useful.

Also, can this kind of exception be done on an account by account basis on a cpanel server or is the server admin going to have to apply something server wide?

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22841
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: CORS errors on multiple sites just appearing recently

Post by pe7er » Thu May 14, 2020 9:38 am

maestroc wrote:
Thu May 14, 2020 12:30 am
that doc you linked to seems to be a bit above my comfort level
Ok, sorry. A better site about the subject, and what to configure, would be:
https://scotthelme.co.uk/hardening-your ... e-headers/
Also, can this kind of exception be done on an account by account basis on a cpanel server or is the server admin going to have to apply something server wide?
I am not familiar with cpanel. I am a Linux guy and do such things directly on the server :-)
You can configure these things in the vhost settings or .htaccess on a per website basis.

There's a plugin (which will be part of the Joomla 4 core) available that you can use to add HTTP headers:
HttpHeader
https://extensions.joomla.org/extension/httpheader/
However, if your server already sets those headers, this plugin won't remove them.
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
The best website: https://the-best-website.com

User avatar
Jaydot
Joomla! Explorer
Joomla! Explorer
Posts: 369
Joined: Sun Jun 04, 2017 12:11 pm
Location: The Netherlands
Contact:

Re: CORS errors on multiple sites just appearing recently

Post by Jaydot » Sun Oct 25, 2020 11:56 am

pe7er wrote:
Thu May 14, 2020 9:38 am
...There's a plugin...
I know this is an older post, sorry, but it seems to address my question directly.

When I check my sites on securityheaders.com, I get a number of dire warnings (and a D rating).
(My J!4 beta site gets less warnings and a C rating).

Can I simply install the httpheader plugin on my 3.9.22 sites and go with the defaults?

As a reviewer remarks: "easy to use if you know what you are doing" - but that's just it: I'd have no idea what I was doing! This header stuff is way out of my league...

So what should a simple user such as myself do? How urgent is this problem? Are there settings that would work for all Joomla sites - probably not, come to think of it, as it would depend on extensions used?
The fact that an opinion is widely held is no evidence whatsoever that it is not utterly absurd.
Personal website: https://jaydot.nl

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22841
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: CORS errors on multiple sites just appearing recently

Post by pe7er » Sun Oct 25, 2020 4:08 pm

Jaydot wrote:
Sun Oct 25, 2020 11:56 am
Can I simply install the httpheader plugin on my 3.9.22 sites and go with the defaults?
No. You can easily install it but you have to configure the plugin yourself.
Some HTTP Security Headers might already be set by your server.
Only configure the headers that are not yet set.

As a reviewer remarks: "easy to use if you know what you are doing" - but that's just it: I'd have no idea what I was doing! This header stuff is way out of my league...

So what should a simple user such as myself do? How urgent is this problem? Are there settings that would work for all Joomla sites - probably not, come to think of it, as it would depend on extensions used?
Correct. There's no one configuration setting that fits all.
Every web server and Joomla website is different.

I would install the HTTP Security Headers plugin and:
  • check the current HTTP Security Headers set by the web server (use Google Chrome "Inspect" > Network)
    configure the that are not yet
  • configure the missing HTTP Security Headers
  • check which external resources (CSS, JavaScript, Google Fonts) you are using.
  • add those as exception to the Content Security Policy settings
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
The best website: https://the-best-website.com

User avatar
Jaydot
Joomla! Explorer
Joomla! Explorer
Posts: 369
Joined: Sun Jun 04, 2017 12:11 pm
Location: The Netherlands
Contact:

Re: CORS errors on multiple sites just appearing recently

Post by Jaydot » Sun Oct 25, 2020 4:51 pm

Thanks, Peter.
I can find the column "headers" in the Network tab, but then I simply don't know what I'm looking at/what I'm supposed to be looking for.
The sites I manage are spread out over eight different hosting providers, and I can see that the headers are different for different hosting providers... But I have no idea which differences are significant.

Should hosting providers be able to help with this? (apart from the CSP exceptions, obviously)

*Sigh*

Maybe tomorrow I'll install the plugin and see where it takes me...

cheers,
j.
The fact that an opinion is widely held is no evidence whatsoever that it is not utterly absurd.
Personal website: https://jaydot.nl


Post Reply

Return to “Security in Joomla! 3.x”