(failed)net::ERR_BLOCKED_BY_ORB

Guys, my images are blocked with status (failed)net::ERR_BLOCKED_BY_ORB. I added a "Transform Rule -> Modify Response Header" to set access-control-allow-origin: * and my back-end has has the same. Is there anything else needed to allow me render assets from this other my domain?
No description
5 Replies
wakrypt
wakryptOP3mo ago
Here the Response header, you can see it live at https://www.pedescalco.com.br/unidades:
access-control-allow-origin:
*
alt-svc:
h3=":443"; ma=86400

cache-control:
private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
cf-ray:
8d6a36542c9b603c-GRU
content-encoding:
zstd
content-type:
text/html; charset=UTF-8
date:
Tue, 22 Oct 2024 14:35:08 GMT
expires:
Thu, 01 Jan 1970 00:00:01 GMT
nel:
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
priority:
u=3,i
referrer-policy:
same-origin
report-to:
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=puNsV65pqdHN8SFDo%2FnAENyfXPvfQZ8QvrULNvdUvCU%2BgcdwhDm36U%2BL2jL3X8YGQcIE2h7ci5xmT5H5Rlw8%2BIt49ShsG%2B8qxBQMLRGjNU5JD8Pkd6ufhp53iV9o0vU3"}],"group":"cf-nel","max_age":604800}
server:
cloudflare
server-timing:
cfL4;desc="?proto=QUIC&rtt=72813&sent=134&recv=100&lost=0&retrans=0&sent_bytes=93129&recv_bytes=37289&delivery_rate=127121&cwnd=31800&unsent_bytes=0&cid=6d8b56a9fe23ca61&ts=18418&x=1"
server-timing:
cfExtPri
server-timing:
cfHdrFlush;dur=0
strict-transport-security:
max-age=63072000; includeSubDomains; preload
vary:
Referer, Accept-Encoding
x-content-type-options:
nosniff
x-frame-options:
SAMEORIGIN
access-control-allow-origin:
*
alt-svc:
h3=":443"; ma=86400

cache-control:
private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
cf-ray:
8d6a36542c9b603c-GRU
content-encoding:
zstd
content-type:
text/html; charset=UTF-8
date:
Tue, 22 Oct 2024 14:35:08 GMT
expires:
Thu, 01 Jan 1970 00:00:01 GMT
nel:
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
priority:
u=3,i
referrer-policy:
same-origin
report-to:
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=puNsV65pqdHN8SFDo%2FnAENyfXPvfQZ8QvrULNvdUvCU%2BgcdwhDm36U%2BL2jL3X8YGQcIE2h7ci5xmT5H5Rlw8%2BIt49ShsG%2B8qxBQMLRGjNU5JD8Pkd6ufhp53iV9o0vU3"}],"group":"cf-nel","max_age":604800}
server:
cloudflare
server-timing:
cfL4;desc="?proto=QUIC&rtt=72813&sent=134&recv=100&lost=0&retrans=0&sent_bytes=93129&recv_bytes=37289&delivery_rate=127121&cwnd=31800&unsent_bytes=0&cid=6d8b56a9fe23ca61&ts=18418&x=1"
server-timing:
cfExtPri
server-timing:
cfHdrFlush;dur=0
strict-transport-security:
max-age=63072000; includeSubDomains; preload
vary:
Referer, Accept-Encoding
x-content-type-options:
nosniff
x-frame-options:
SAMEORIGIN
Flare
Flare3mo ago
Troubleshooting 403 / CORS issues with R2 So, your assets aren't loading because you are getting a CORS error despite having setup everything correctly? Let's try troubleshooting. In your browser console, do you see a 401/403 error right above the CORS error? If yes, then you aren't actually dealing with a CORS issue! If you do have a CORS issue, head to the last section. If you are using a Custom domain Go to the Network tab and find the failing request (you may need to reload the page, since only requests after opening the developer tools are logged). You need to check the response headers for the following two headers: - cf-cache-status - cf-mitigated If you have a cf-mitigated header Your request was blocked by one of your WAF rules. Go to Security Events and look for what service blocked your request. If you don't have a cf-cache-status header Your request was blocked by Hotlink Protection. Go to your dashboard and disable it or write a configuration rule to only disable on your Custom domain If you are using the S3 API Your request is very likely incorrectly signed. Try executing the request via curl to inspect the real response returned by the S3 api and then tackle that issue. Once your request is correctly signed, you'll receive the proper CORS headers. If it's actually CORS Here are some common issues with CORS configurations: - ExposeHeaders is missing headers like ETag - AllowedHeaders is missing headers like Authorization or Content-Type - AllowedMethods is missing methods like POST/PUT (you do not need to include OPTIONS)
wakrypt
wakryptOP3mo ago
The problem was indeed the Hotlink protection. I didn't know about the events on security section and it was working 3 days ago, so I was surprised. Thank you very much, Leo. You saved my day! ❣️
wakrypt
wakryptOP3mo ago
@Leo , I'm trying to create the rule to skip the hotlink protection but for pedescalco.com.br, but it's not working. Anything you see here? I even add a allow origin to fix it, but no luck. I appreciate any tip here.
No description
No description
No description
wakrypt
wakryptOP2mo ago
@Leo So I can't disable it by Origin requester (pedescalco.com.br), right? Only for what is accessed on my own site (danca.com). What is the best way to allow Hotlink only for pedescalco.com.br domain? @Leo Just following you up.
Want results from more Discord servers?
Add your server