Introduction

Cross-Origin Resource Sharing (CORS) is a browser security feature that prevents web pages from making requests to different domains. Azure Storage services require CORS configuration to allow browser-based applications to access blobs, files, and tables from different origins.

Symptoms

Browser console CORS error:

javascript
// In browser developer tools console:
Access to fetch at 'https://mystorageaccount.blob.core.windows.net/container/file.json' from origin 'https://myapp.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Preflight request failure:

```javascript // OPTIONS request fails: OPTIONS https://mystorageaccount.blob.core.windows.net/container/file.json Status: 403 Forbidden

Response headers: x-ms-error-code: CORSOriginNotFound ```

Application error:

javascript
// In application logs:
Error: Failed to fetch
CORS policy blocked the request

Common Causes

  1. 1.No CORS rules configured - Storage account has no CORS policy
  2. 2.Origin not in allowed list - Your domain not specified
  3. 3.Method not allowed - HTTP method not in CORS rules
  4. 4.Header not allowed - Request header missing from allowed headers
  5. 5.Max age exceeded - Cached CORS response expired
  6. 6.Wildcard not used - Using specific origins when wildcard needed
  7. 7.Wrong service - Configuring CORS for blob when using file share

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Check Current CORS Configuration

```bash # Get CORS rules for blob service az storage account blob-service-properties show \ --account-name mystorageaccount \ --resource-group my-rg \ --query cors

# Get CORS for all services az storage account blob-service-properties show --account-name mystorageaccount --query cors az storage account file-service-properties show --account-name mystorageaccount --query cors az storage account table-service-properties show --account-name mystorageaccount --query cors az storage account queue-service-properties show --account-name mystorageaccount --query cors ```

Step 2: Add CORS Rule via Azure CLI

```bash # Add CORS rule for blob service az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"https://myapp.example.com","allowedMethods":["GET","PUT","POST","DELETE","OPTIONS"],"allowedHeaders":["*"],"exposedHeaders":["*"],"maxAgeInSeconds":3600}]'

# Allow multiple origins az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"https://myapp.example.com,https://admin.example.com","allowedMethods":["GET","PUT","POST"],"allowedHeaders":["*"],"exposedHeaders":["*"],"maxAgeInSeconds":3600}]'

# Allow all origins (development only) az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"*","allowedMethods":["GET","PUT","POST","DELETE","OPTIONS","HEAD"],"allowedHeaders":["*"],"exposedHeaders":["*"],"maxAgeInSeconds":3600}]' ```

Step 3: Verify CORS Headers in Response

```bash # Test CORS preflight request curl -X OPTIONS "https://mystorageaccount.blob.core.windows.net/container/file.json" \ -H "Origin: https://myapp.example.com" \ -H "Access-Control-Request-Method: GET" \ -H "Access-Control-Request-Headers: x-ms-*" \ -v

# Look for response headers: # access-control-allow-origin: https://myapp.example.com # access-control-allow-methods: GET,PUT,POST,DELETE,OPTIONS # access-control-allow-headers: x-ms-* ```

Step 4: Configure Allowed Methods

```bash # Methods typically needed: # GET: Download files # PUT: Upload files # POST: Create resources # DELETE: Delete files # OPTIONS: Preflight requests # HEAD: Check file metadata

az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"*","allowedMethods":["GET","PUT","POST","DELETE","OPTIONS","HEAD"],"allowedHeaders":["*"],"exposedHeaders":["*"],"maxAgeInSeconds":3600}]' ```

Step 5: Configure Allowed Headers

```bash # Common headers needed for Azure Storage: # - x-ms-* headers (Azure specific) # - Authorization # - Content-Type # - Content-Length # - If-Match, If-None-Match

# Allow all headers az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"*","allowedMethods":["GET","PUT","POST","DELETE","OPTIONS"],"allowedHeaders":["*"],"exposedHeaders":["*"],"maxAgeInSeconds":3600}]'

# Or specify specific headers az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"https://myapp.example.com","allowedMethods":["GET","PUT","POST"],"allowedHeaders":["content-type","x-ms-*","authorization"],"exposedHeaders":["x-ms-*","etag"],"maxAgeInSeconds":3600}]' ```

Step 6: Configure Exposed Headers

```bash # Headers that the browser should be able to access # Common Azure Storage headers: # - x-ms-request-id # - x-ms-version # - ETag # - Content-Range

az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[{"allowedOrigins":"*","allowedMethods":["GET","PUT","POST"],"allowedHeaders":["*"],"exposedHeaders":["x-ms-request-id","x-ms-version","ETag","Content-Range"],"maxAgeInSeconds":3600}]' ```

Step 7: Clear Browser CORS Cache

```bash # Browser caches CORS preflight responses # Clear cache to apply new rules:

# Chrome: DevTools > Application > Storage > Clear site data # Firefox: DevTools > Storage > Clear # Or hard refresh: Ctrl+Shift+R (Windows) / Cmd+Shift+R (Mac)

# Or wait for maxAgeInSeconds to expire ```

Step 8: Test with JavaScript

javascript
// Test fetch with CORS
fetch('https://mystorageaccount.blob.core.windows.net/container/file.json', {
  method: 'GET',
  headers: {
    'Accept': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log('Success:', data))
.catch(error => console.error('Error:', error));

Step 9: Check for Multiple CORS Rules

```bash # List all CORS rules az storage account blob-service-properties show \ --account-name mystorageaccount \ --resource-group my-rg \ --query cors.corsRules

# Azure Storage allows up to 5 CORS rules # First matching rule wins (based on origin)

# Remove all CORS rules if needed az storage account blob-service-properties update \ --account-name mystorageaccount \ --resource-group my-rg \ --cors '[]' ```

Step 10: Check Authentication with CORS

```bash # CORS and authentication work together # If using SAS token, include it in the URL

# Browser request: fetch('https://mystorageaccount.blob.core.windows.net/container/file.json?sastoken', { method: 'GET' })

# Or use Azure AD with managed identity for backend services # Frontend should not have direct access to storage credentials ```

CORS Configuration Parameters

ParameterDescriptionExample
allowedOriginsDomains that can make requestshttps://app.com or *
allowedMethodsHTTP methods allowedGET, PUT, POST
allowedHeadersRequest headers allowedcontent-type, x-ms-*
exposedHeadersResponse headers browser can readETag, x-ms-request-id
maxAgeInSecondsPreflight cache duration3600

Verification

```bash # Test CORS from browser or curl curl -X OPTIONS "https://mystorageaccount.blob.core.windows.net/container/file.json" \ -H "Origin: https://myapp.example.com" \ -H "Access-Control-Request-Method: GET" \ -v

# Should see in response: # < access-control-allow-origin: https://myapp.example.com # < access-control-allow-methods: GET,PUT,POST,DELETE,OPTIONS

# Browser test should succeed without CORS errors ```

  • [Fix Azure Blob Upload 403 Forbidden](/articles/fix-azure-blob-upload-403-forbidden)
  • [Fix Azure Storage Account Inaccessible](/articles/fix-azure-storage-account-inaccessible)
  • [Fix Azure API CORS Errors](/articles/fix-azure-api-cors-errors)
  • [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
  • [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
  • [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
  • [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
  • [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure CORS Policy Blocking Browser Calls", "description": "Troubleshoot Azure Storage CORS errors blocking browser calls. Configure allowed origins, methods, and headers.", "url": "https://www.fixwikihub.com/fix-azure-cors-policy-blocking-calls", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-02T14:56:17.641Z", "dateModified": "2026-04-02T14:56:17.641Z" } </script>