Azure AD B2C CrossOriginException despite CORS being configured

Question

Azure AD B2C CrossOriginException despite CORS being configured

Chris Beer 0

Hi all

We are seeing a significant number of exceptions being logged to App Insights by our Azure AD B2C custom policies.

Microsoft.Cpim.UserExperience.Client.CrossOriginException

The resource 'https://xxx/xxx.html' contains script errors preventing it from being loaded.

The issue seems to be intermittent as the vast majority of users are able to sign in successfully. We can see a similar error message in the logs of some of our relying parties, indicating it is being sent in the response by Azure AD B2C, so seems likely that this manifests as a visible issue when it occurs.

Our UI templates are hosted in a storage account, and the CORS policy is configured as per Microsoft documentation. We have also confirmed that the templates do not contain any script errors.

Having reviewed the obvious things and having no success we are now left scratching our heads. If anyone is able to offer any insights on what might be the potential cause these would be gratefully received.

Thanks in advance.

Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-01-24T16:47:48.9766667+00:00

Hi @Chris Beer

Thank you for posting this in Microsoft Q&A.

I'm reviewing your query, will get back to you shortly.

Thanks,

Navya.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-01-28T12:23:54.77+00:00

Hi @Chris Beer

Thank you for posting this in Microsoft Q&A.

I understand that you are noticing a significant number of exceptions being logged to App Insights in your Azure AD B2C custom policies.

Based on the error message "Microsoft.Cpim.UserExperience.Client.CrossOriginException - The resource 'https://xxx/xxx.html' contains script errors preventing it from being loaded", it seems the issue is occurring due to script errors.

As you mentioned, you have already checked the script, confirmed there are no errors, and enabled the CORS policy.

Could you please confirm which type of storage account you are using? If you're using an Azure Storage Blob, the CORS configuration should look like this: https://your-tenant-name.b2clogin.com (in lowercase).

If it matches, this generally means it is not an issue with CORS, but rather an issue with the hosting provider reliably returning all images, JavaScript, CSS, etc., that are referenced in the custom HTML document. To troubleshoot this scenario, it is recommended to run load tests on the custom HTML page.

Thanks,

Navya.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-01-30T08:50:36.73+00:00

Hi @Chris Beer

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-02-03T10:00:09.43+00:00

Hi @Chris Beer

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-01-24T16:47:48.9766667+00:00

Hi @Chris Beer

Thank you for posting this in Microsoft Q&A.

I'm reviewing your query, will get back to you shortly.

Thanks,

Navya.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-01-28T12:23:54.77+00:00

Hi @Chris Beer

Thank you for posting this in Microsoft Q&A.

I understand that you are noticing a significant number of exceptions being logged to App Insights in your Azure AD B2C custom policies.

Based on the error message "Microsoft.Cpim.UserExperience.Client.CrossOriginException - The resource 'https://xxx/xxx.html' contains script errors preventing it from being loaded", it seems the issue is occurring due to script errors.

As you mentioned, you have already checked the script, confirmed there are no errors, and enabled the CORS policy.

Could you please confirm which type of storage account you are using? If you're using an Azure Storage Blob, the CORS configuration should look like this: https://your-tenant-name.b2clogin.com (in lowercase).

If it matches, this generally means it is not an issue with CORS, but rather an issue with the hosting provider reliably returning all images, JavaScript, CSS, etc., that are referenced in the custom HTML document. To troubleshoot this scenario, it is recommended to run load tests on the custom HTML page.

Thanks,

Navya.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-01-30T08:50:36.73+00:00

Hi @Chris Beer

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-02-03T10:00:09.43+00:00

Hi @Chris Beer

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

We encountered this issue and found it was due to a Private Endpoint Connection on the Storage Account hosting our static content.

An nslookup on our Storage Account URI resolved two aliases:
Aliases: xxxxx.blob.core.windows.net
xxxxx.privatelink.blob.core.windows.net

If someone tried to load our login page from a network with its own Azure privatelink resolver, their browser would attempt to load our content from their own tenant.

We resolved this by deleting the private endpoint connection (found under Security + Networking > Networking > Private Endpoint Connections in the Storage Account Console). This immediately stopped the ClientCrossOriginException messages. If you need the private endpoint, make sure the privatelink alias doesn't appear in DNS outside your network.

Share via

Azure AD B2C CrossOriginException despite CORS being configured

1 answer

Your answer