Azure (Docker) Squidex + Angular FE -> CORS when accessing angular

I have…

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [x] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

Have been developing an angular app and running locally, with no issues, once deploying the app and accessing via DNS “A” record, cors error:
Access to XMLHttpRequest at ‘https://CMS_URL/identity-server/connect/token’ from origin ‘http://FE_URL’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Squidex 7.1.0 Hosted on Azure (Docker)
Angular app

1: LocalHost Angular + Azure Squidex -> NO CORS -> Works
2: Remote Angular + Azure Squidex -> CORS
3: LocalHost Angular + Cloud Squidex -> NO CORS -> Works
4: Remote Angular + Cloud Squidex -> NO CORS -> Works

To try and identify the issue, used the same angular app to connect to a cloud-hosted Squidex instance and it worked with no problems, with both localhost and remote host angular.

Is the CORS configuration editable without making code changes? Or is this due to something I am missing?

Chome Dubug

Postman also works to azure squidex…

5: Postman + Azure Squidex -> Works
6: Postman + Cloud Squidex -> Works

Expected behavior

Looking for an understanding of why cloud squidex passes
but azure hosted doesn’t (same request from the same app, the only change is client details and URL)

Minimal reproduction of the problem

Can provide code snippets on request


App Name: dtx-uat-v2

  • [x] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: Squidex 7.1.0


  • [x] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

My guess is that azure modifies the headers in some way. From Squidex side it is not configurable.

Thanks for the prompt response @Sebastian.

I’ll investigate further and put my findings here.

Thanks, Tom.

Just adding here incase anyone runs into the same issue.

On the app service page, there is a big button down the left side that says CORS…

yep somehow didn’t see that in all my testing…

Good that you found the solution and thanks for posting an update :slight_smile: