CF2018 And IIS7.5 Cross-origin REST Services requests

Report · Sep 09, 2018

We attempted to upgrade from Coldfusion 11 to 2018 today and we are now getting our cross-origin requests blocked by Chrome. Reverting back to CF11 (changing no settings in IIS, just switching the connector) we have no problems. So, my question is this: What has changed in the Rest Services served by CF2018 so that cross-origin requests would start getting blocked when the same code served by CF11 works fine? And, what, if anything, might be done to get around this issue?

Report · Sep 09, 2018

Js, some things to consider (not to do in order):

- consider of course that it could be a change in 2016 not 2018

- you could consider installing 2016 as well, if you want to know for sure (perhaps testing first with no cf2016 updates then with the 6th that is available)

- are you confirming there's no error in cfs logs? Or in any error handling you've got? Maybe an error is happening and THAT is triggering the c-o error unexpectedly

- are you watching in some client dev tool to see exactly what is coming back from the server (headers and content)?

- to take iis out of the equation, have you confirmed that a test against the rest service served via the CF built-in web server fails for 2018 as well? and not 11?

- did you create a new site for use with 2018? If so, consider adding a new site for 11 (yes, I realize it would be redundant to your existing site for 11), but maybe the issue is not in cf but in the new iis site for 2018

/Charlie (troubleshooter, carehart.org)

Report · Oct 11, 2018

Thanks for your reply, Charlie. It was helpful to look at CF2016 as it does not have this same issue.

Report · Sep 11, 2018

I upgraded from Coldfusion 2016 to 2018 only and I am experiencing the same problem. No changes in IIS other than what 2018 modified in the setup.

Report · Oct 11, 2018

After talking with some Adobe support reps and doing some more troubleshooting, We arrived at the conclusion that CF2018 is not supported on Windows Server 2008 R2 (see this: https://helpx.adobe.com/pdf/coldfusion2018-support-matrix.pdf ) and something in that combination is at fault. I think it's something with the CORS support in IIS combined with CORS in CF2018 just not getting along and causing issues. (One issue I saw was returning two Access-Allow-Origin headers which Chrome does not allow) So, We will either be downgrading CF to 2016 which does not appear to have this issue or upgrading to Windows Server 2012 or newer which is at least supported if we do have more issues along these lines.

Report · Aug 13, 2021

Hi Charlie

I am encountering the same CORS vulnerability in one of our application. We have in house app, in that we get emails from a POP server, as soon as i applied the update 11 on cf2018, I started getting the CORS errors, because the html from the email had embedded images with cid protocol in it. So, i am working on putting our domain path instead of cid's.

Is there a fix to it.

The weird thing is is is only happening in the prodcution servers, which are behind F5 security. In other servers it is working fine. The weird thing is those old emails which has the cid in it working fine without the patch 11. So, i do not think it is F5. I would clearly say it is combination of both. Is there a work around?

Report · Aug 13, 2021

ashwinia, note that people above were raising this in 2018, well before your update 11 was released (in March 2021). If you had been running cf2018 before that update, then your problem would seem different than those above.

So when you ask if there's a fix, it's just not clear what your problem is, or how it would seem it just differ than all discussed above.

Also, you refer to "old emails which has the cid in it working fine without the patch 11". Do you mean you mail files that had been generated and put into the cf spool or undelivr folders?

Either way, can you be more clear about what you're doing to demonstrate what you feel shows the issue?

Perhaps more detail may help us/others to help you.

/Charlie (troubleshooter, carehart.org)

Report · Aug 13, 2021

Charlie

Thanks for the quick response.

I took the update way back, when it came. Because of this issue, i had to uninstall the update.

No this is not the cfmail spool. These emails are pulled from the POP server using the CFPOP tag. And then rendered on to the browser. The html body of the emails sometimes have embedded images, which is a cid protocol for example cid:eedc7a78-ce72-453c-b34d-49a5bcb92e8. This is where the CORS is happening.

I wish I could attach some screenshot, 😞

This issue started as soon as i took the update.

Report · Aug 13, 2021

If the images are actually embedded, there shouldn't be any fetching from a browser, and therefore no CORS problems. Can you validate that the images are actually embedded?

Dave Watts, Eidolon LLC

Adobe Community

CF2018 And IIS7.5 Cross-origin REST Services requests

1 Correct answer