Cdnjs: Blocked by CORS policy

I'm seeing this as well:

Access to CSS stylesheet at 'https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css' from origin 'https://redactedappname.redactedcompany.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I am seeing this as well. We have a demo soon. If this cannot be fixed in less than a half our I may move off CDNJS permanently.

I am seeing this for:

<script src="https://cdnjs.cloudflare.com/ajax/libs/react/16.0.0/umd/react.production.min.js" integrity="sha256-3lmw1FBKoDUME3df7Jt4hZ8+2oPeoh1g3e2Yu3hm1Uo=" crossorigin="anonymous"></script>

Interestingly, when I load the URL directly, it does have a CORS header.

Hi there,

Thank you for reporting this. We are currently working with Cloudflare, who recently deployed changes, to resolve this issue asap and to restore CDN service.

I will pass this thread onto the team at Cloudflare so that they can diagnose and resolve the issue asap.

If you encounter this issue: Please post full request & response headers, along with the failed resource URL. This allows us to more easily locate the source of the issue.

Thank you.
You can follow incident updates on our status page: https://status.cdnjs.com/incidents/9100rwz33n1h

A fix has been released. If there are specific JS that you need to be purged please post.

I'm still experiencing trouble with the following three scripts, so if you could purge those it would be most appreciated.

https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.19.2/moment-with-locales.min.js
https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.2.0/js.cookie.min.js
https://cdnjs.cloudflare.com/ajax/libs/intl-tel-input/14.0.5/js/intlTelInput-jquery.min.js

Thanks!

@dknecht ^^

https://cdnjs.cloudflare.com/ajax/libs/react/16.0.0/umd/react.production.min.js
https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.0.0/umd/react-dom.production.min.js

The same issue is still randomly happening for the:
https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/7.0.0/polyfill.min.js

Occuring with
https://cdnjs.cloudflare.com/ajax/libs/vue/1.0.27/vue.min.js

Request:

Host: cdnjs.cloudflare.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: en-GB,en-US;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://freddyheppell.com/2018/08/06/understanding-rsa
Origin: https://freddyheppell.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Response:

HTTP/2.0 200 OK
date: Mon, 15 Apr 2019 20:34:38 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 17 May 2018 09:26:44 GMT
etag: W/"5afd4ad4-12f78"
expires: Sat, 04 Apr 2020 20:34:38 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
x-content-type-options: nosniff
served-in-seconds: 0.003
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c80b3916a46ce3d-LHR
content-encoding: br
X-Firefox-Spdy: h2

Occurred with these two resources from this url https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html:

https://cdnjs.cloudflare.com/ajax/libs/UAParser.js/0.7.19/ua-parser.min.js
Request:

Origin: https://courses.cs.washington.edu
Referer: https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Response:

Date →Mon, 15 Apr 2019 20:44:41 GMT
Content-Type →application/javascript; charset=utf-8
Transfer-Encoding →chunked
Connection →keep-alive
Last-Modified →Thu, 25 Oct 2018 19:15:51 GMT
ETag →W/"5bd21667-377b"
Expires →Sat, 04 Apr 2020 20:44:41 GMT
Cache-Control →public, max-age=30672000
Vary →Accept-Encoding
Timing-Allow-Origin →*
x-content-type-options →nosniff
Content-Encoding →gzip
Served-In-Seconds →0.000
CF-Cache-Status →HIT
Strict-Transport-Security →max-age=15780000; includeSubDomains
Expect-CT →max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server →cloudflare
CF-RAY →4c80c2473c412a19-SEA

https://cdnjs.cloudflare.com/ajax/libs/jquery.transit/0.9.12/jquery.transit.min.js
Request:

Origin: https://courses.cs.washington.edu
Referer: https://courses.cs.washington.edu/courses/cse154/19sp-aprilfools/homework/homework.html
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Response:

HTTP/2.0 200 OK
Date →Mon, 15 Apr 2019 20:42:39 GMT
Content-Type →application/javascript; charset=utf-8
Transfer-Encoding →chunked
Connection →keep-alive
Last-Modified →Thu, 17 May 2018 09:20:15 GMT
ETag →W/"5afd494f-1d34"
Expires →Sat, 04 Apr 2020 20:42:39 GMT
Cache-Control →public, max-age=30672000
Vary →Accept-Encoding
Timing-Allow-Origin →*
x-content-type-options →nosniff
Content-Encoding →gzip
Served-In-Seconds →0.001
CF-Cache-Status →HIT
Strict-Transport-Security →max-age=15780000; includeSubDomains
Expect-CT →max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server →cloudflare
CF-RAY →4c80bf4d8e9b2a19-SEA

Continuing to get CORS errors on requests to the following urls:

https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/6.26.0/polyfill.js
https://cdnjs.cloudflare.com/ajax/libs/react/16.3.0/umd/react.development.js
https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.3.0/umd/react-dom.development.js
https://cdnjs.cloudflare.com/ajax/libs/react-router/4.2.0/react-router.js
https://cdnjs.cloudflare.com/ajax/libs/react-router-dom/4.2.2/react-router-dom.js

Thanks!

We're still seeing errors on:

• https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js
• https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.4.0/umd/react-dom.production.min.js

@eggonabull @yevhen-hryhorevskyi @freddyheppell @EndenDragon @xoqem The latest from Cloudflare is that those resources should now be fixed. Please try clearing your local cache and seeing if that is the case.

@chriskuehl I will pass this onto the team at Cloudflare to double check.

cc @PeterDaveHello just so you are aware.

The latest from Cloudflare is that those resources should now be fixed. Please try clearing your local cache and seeing if that is the case.

Sadly clearing the cache doesn't seem to solve the issue. I tried both disabling the cache via dev tools and opening a new incognito session just in case. I have a local workaround, so I'm not super blocked, but just a heads up.

@xoqem Ah, that's not great. Have passed the feedback onto Cf.

@xoqem Can you paste a url and headers?

I can reproduce this with curl from a couple boxes (original request came from Copy as > Curl from Chrome):

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Referer: https://www.stageg.yelp.com/' -H 'Origin: https://www.stageg.yelp.com' --compressed -D- -so /dev/null
HTTP/2 200
date: Mon, 15 Apr 2019 21:16:08 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 24 May 2018 01:00:47 GMT
etag: W/"5b060ebf-1c31"
expires: Sat, 04 Apr 2020 21:16:08 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
x-content-type-options: nosniff
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c80f05aecea514c-SJC

If I make the same request with a slightly different Origin request header (I just appended a z), it works:

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Referer: https://www.stageg.yelp.com/' -H 'Origin: https://www.stageg.yelp.comz' --compressed -D- -so /dev/null
HTTP/2 200
date: Mon, 15 Apr 2019 21:16:33 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 24 May 2018 01:00:49 GMT
etag: W/"5b060ec1-1c31"
expires: Sat, 04 Apr 2020 21:16:33 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
access-control-allow-origin: *
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c80f0f76fdb95f5-SJC

This second response has access-control-allow-origin: * as expected, whereas the first doesn't.
Some weird caching thing given that changing the Origin request header fixes it?

I tried the same curl command (the first curl above) on three different networks; it reproduced on two of the three. Not sure if it's relevant, but the two it reproduces from are hitting SJC cloudflare (based on that cf-ray response header), the third it doesn't reproduce from appears to be hitting LAX.

Edit: Also seeing the same thing for https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Thanks that is helpful.

@chriskuehl Looks to be a cached issue now, which I guess is good as it means only these few resources are affected. @dknecht and the Cloudflare team should be able to resolve this shortly :)

@MattIPv4 It seems that the issue is gone for us. At least I was not able to reproduce it with several attempts.

@chriskuehl @xoqem Is it working now for you?

@dknecht I'm having issues with this aswell
https://github.com/cdnjs/cdnjs/issues/13324 and more info at https://github.com/cdnjs/cdnjs/issues/13324#issuecomment-483411577

@dknecht unfortunately I'm still seeing no header with this curl command:

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/react/16.4.0/umd/react.production.min.js' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Referer: https://www.stageg.yelp.com/' -H 'Origin: https://www.stageg.yelp.com' --compressed -D- -so /dev/null
HTTP/2 200
date: Mon, 15 Apr 2019 21:50:58 GMT
content-type: application/javascript; charset=utf-8
last-modified: Thu, 24 May 2018 01:00:47 GMT
etag: W/"5b060ebf-1c31"
expires: Sat, 04 Apr 2020 21:50:58 GMT
cache-control: public, max-age=30672000
vary: Accept-Encoding
timing-allow-origin: *
x-content-type-options: nosniff
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4c81235fa805517c-SJC

I tested this on three different networks all near San Francisco (one corporate Level3, one residential WebPass, one Linode datacenter) and all three don't see the header. A fourth network I tested on (hitting LAX) does see the header.

@dknecht still seeing errors on my end as well

Could https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css be purged? I have a number of apps which use that library, and I can't be sure which users are stuck receiving the cached version with the absent Access-Control-Allow-Origin: * header.

I'm seeing the same behavior @chriskuehl mentioned: If I make a request and provide one of the affected apps' URLs in the Origin header, I get the cached response containing no Access-Control-Allow-Origin: * header. If I modify the Origin value in any way, the new response _does_ contain Access-Control-Allow-Origin: *. Here's an HTTPie example where the first request receives the old cached response, and the second receives the correct response:

$ http -ph https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css 'Origin:https://vto.os.pixar.com'
HTTP/1.1 200 OK
CF-Cache-Status: HIT
CF-RAY: 4c8126335ee07924-LAX
Cache-Control: public, max-age=30672000
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/css
Date: Mon, 15 Apr 2019 21:52:54 GMT
ETag: W/"5afd4939-7918"
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sat, 04 Apr 2020 21:52:54 GMT
Last-Modified: Thu, 17 May 2018 09:19:53 GMT
Served-In-Seconds: 0.001
Server: cloudflare
Strict-Transport-Security: max-age=15780000; includeSubDomains
Timing-Allow-Origin: *
Transfer-Encoding: chunked
Vary: Accept-Encoding
x-content-type-options: nosniff

$ http -ph https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css 'Origin:https://vto-stage.os.pixar.com'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
CF-Cache-Status: MISS
CF-RAY: 4c812dfc4b1e791e-LAX
Cache-Control: public, max-age=30672000
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/css
Date: Mon, 15 Apr 2019 21:58:13 GMT
ETag: W/"5afd4910-7918"
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sat, 04 Apr 2020 21:58:13 GMT
Last-Modified: Thu, 17 May 2018 09:19:12 GMT
Served-In-Seconds: 0.001
Server: cloudflare
Strict-Transport-Security: max-age=15780000; includeSubDomains
Timing-Allow-Origin: *
Transfer-Encoding: chunked
Vary: Accept-Encoding

Thank you ❤️

We have remove "Origin" from the Cache Key. This should improve performance and clear the caches. Sorry for the inconvenience we have caused everyone. We are reviewing the process to ensure this can't happen again.

@dknecht Thank you for the incredible work to resolve this! ❤️

Confirmed it is fixed for us, thanks!

Yup fixed on my end too! Thanks for your help!!

Can this be happening now for https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.4.1/css/bootstrap.min.css? (other resources from cdnjs.cloudflare.com load fine)

Hey @ittayd, we're not seeing any other reports of this. Do you have headers from the request that failed, or preferably, a full HAR of the failing request?

Ah, I meant response headers, my bad. You can probably grab them from the browser developer tools -> network inspector.

curl 'https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.4.1/css/bootstrap.min.css'
-H 'authority: cdnjs.cloudflare.com'
-H 'pragma: no-cache'
-H 'cache-control: no-cache'
-H 'origin: https://ittayd.github.io'
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36'
-H 'dnt: 1'
-H 'accept: text/css,/;q=0.1'
-H 'sec-fetch-site: cross-site'
-H 'sec-fetch-mode: cors'
-H 'sec-fetch-dest: style'
-H 'referer: https://ittayd.github.io/rubiks_cube_html5/index.html'
-H 'accept-language: en-US,en;q=0.9,he-IL;q=0.8,he;q=0.7'
--compressed

I can't find a way to copy the response headers

On Firefox, open developer tools, go to the network tab, click on the failed request, click on the headers tab, click on the raw headers toggle for response headers. Then you can copy/paste the response headers.

Alternatively, you can simply right click on the failed request in the network tab and click the option to save as a HAR.

access-control-allow-origin: *
age: 15216584
alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
cache-control: public, max-age=30672000
cf-cache-status: HIT
cf-ray: 59a10eb8bf38ada9-TLV
cf-request-id: 02f88787770000ada970a7c200000001
content-encoding: br
content-type: text/css
date: Wed, 27 May 2020 16:19:26 GMT
etag: W/"5ddff649-26f1b"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expires: Mon, 17 May 2021 16:19:26 GMT
last-modified: Thu, 28 Nov 2019 16:31:05 GMT
served-in-seconds: 0.003
server: cloudflare
status: 200
strict-transport-security: max-age=15780000; includeSubDomains
timing-allow-origin: *
vary: Accept-Encoding

That's the ticket. Looks like you're getting a valid CORS response back: access-control-allow-origin: *?

using chrome

Yes, weird...

Access to CSS stylesheet at 'https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.4.1/css/bootstrap.min.css' from origin 'https://ittayd.github.io' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

case?

Just to confirm, that error is generated from the same request that you gave those response headers for?

Yes

I get different response headers back when I run the code you shared, and they do indeed lack the CORS header. It looks like we aren't responding to OPTIONS requests correctly.

@xtuc can you take a look at this?
This pen contains the failing request: https://codepen.io/MattCowley/pen/VwvOVpe?editors=1010

So I changed to bootstrap 4.5.0 and at first it loaded fine and now it doesn't load with the same error

I had crossorigin="anonymous" on the link tag. Once I took it away, the resource loads.

Works fine here, not a problem! Issue #13324 is closed.