I have an Azure App Service with a mandatory Authentication based on the Azure Active Directory. It is serving an API server and a webapp calling the server.
All the GET work perfectly, however the POST all get rejected with
403 Forbidden.
The Cookies are properly set to pass the authentication check.
Oddly enough, when I replayed the POST with Postman, they succeeded.
I could narrow down the difference that lead to rejection:
Whenever the
User-Agentheader isMozilla/5.0
Why is there such a mechanism in Azure ? How to deactivate it ?
2
Answers
After digging in the suggestion, I could verify that is was not a CORS issue neither precisely a User-Agent to change.
Actually Chrome browser does not support User-Agent update as of 2022-06-06, so this option cannot be chosen.
The solution idea came from https://github.com/Azure/azure-functions-host/issues/1602#issuecomment-309532954
And to focus on the fix, in
App Service/Authentication:https://{name}.azurewebsites.netAfter this, POST requests worked.
I had the same issue in a non-cross-origin scenario, but for me Benjam’s answer did not work as (it turned out later) the browser sent neither origin (actually
nullwas sent) nor referrer header – therefore there was nothing to match with the redirect URLs.I recommend checking out and evaluating all the CSRF rules laid out in the thread mentioned in Benjam’s answer.
In my case, the issue was a
Referrer-Policy: no-referrersetting that made the browser omit the referrer header. After relaxing the policy, POST requests got through.