SonicOS 7 and CORS (cross origin resource sharing)

Simon_Weel

In the office, we have troubles with website Kaart | Geldmaat Locatiewijzer

It shows up partially, no ability to look up locations. At home it works fine. So it's probably something with the TZ470 we have. It doesn't show any errors or warnings. Using the Developer Tools in Edge shows what's the problem:

Access to XMLHttpRequest at 'https://lrxs9ggm8j.execute-api.eu-west-1.amazonaws.com/prod/locations?fields=id&fields=latitude&fields=longitude&fields=functionality&fields=audioGuidance&fields=withdrawableDenominations&fields=geldmaatPlus' from origin 'https://www.locatiewijzer.geldmaat.nl' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

It seems like the firewall is stripping the HTML header? Is there any way to resolve this?

BWC

@Simon_Weel I have not seen this before but did you tried to exclude an endpoint from the security services, this would give you a clear view if it's related to that and start from here. Without security services the chances are nil that the TZ is interfering.

It might be also related to some kind of Endpoint Security, countercheck would be to use an endpoint without it.

Everything beyond that would need more digging.

UPDATE:
I could reproduce this error by enabling DPI-SSL, even without disabled Security Services
on LAN and WAN.

Groetjes!

--Michael@BWC

Simon_Weel

Ok, disabling DPI-SSL indeed makes the site working. Now the question is, what URL do I need to exclude (I guess lrxs9ggm8j.execute-api.eu-west-1.amazonaws.com) and for which do I need to exclude it?

Adding the aforementioned site as exclusion to DPI-SSL doesn't do the trick....

Simon_Weel

Spoke too soon - it did work after some time.

BWC

@Simon_Weel when fiddling with DPI-SSL it's always advisable to completely close any browser instance. This kind of exclusion only makes sense if the destination is static.

Figuring this stuff out is one of the downsides of DPI-SSL.

--Michael@BWC