Cross-origin errors

We’re getting strict-origin-when-cross-origin 403 errors when trying to access certain pages on our website via an automated marketing email. If we access the pages directly, there is no issue, and if I enable dev mode everything is fine. I’ve tried playing around with a number of rules and access within Cloudflare but not having much luck, and it’s not really my area of expertise, so hoping people on here have some suggestions.

I don’t know whether it’s relevant or not, but apparently our staff in the Philippines (we are in Australia) don’t get the error when they test the same marketing emails.

Do you have an example of the error that they’re getting?

Have you made sure your site is setup to allow cross-origin requests by sending the appropriate response headers? Cross-Origin Resource Sharing (CORS) - HTTP | MDN

Hi Kian, thanks for your response. This is one of the errors (hopefully it lets me attach the screen shot)
image

I’m not sure about the CORS setup but I’ll check it with the devs, so thanks very much for the lead.

Look in the console of DevTools when loading the email/page in question - it’ll give you a much more clear error and it’ll mention CORS specifically if that’s the case.

That is not a CORS message. The strict-origin-when-cross-origin is just a response header, and not an issue here (probably!).

The 403 is potentially a Cloudflare WAF rule. In the response in Dev Tools you will see a CF-Ray header. Using the Ray ID for one of the errors, search the Firewall Logs under the Security tab on your Cloudflare Dashboard. That will tell you what rule is being triggered.

Thanks Michael,

I’ll have a look at those things and let you know how I go. Really appreciate you providing valuable insights.

ok, found a CF-Ray in the firewall logs:
image

981176 suggests it’s the OWASP rule set which suggests it’s a package, but I don’t seem to be able to find that package rule set…any ideas?

Sorry for all the noob questions - as I said, I don’t often dabble in the Cloudflare admin space.

We’ve resolved the issue. We were able to review the JSON from the firewall events, which pointed as at the rules within the OWASP package, which led us to the conclusion that the sensitivity needed some adjustment. Thanks all for the helpful hints and tips.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.