turbotax icon
turbotax icon
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
turbotax icon
turbotax icon
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
turbotax icon
turbotax icon
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
turbotax icon
turbotax icon
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Close icon
Do you have a TurboTax Online account?

We'll help you get started or pick up where you left off.

Yes No
lc123456
New Member

Problems with Turbo Tax Web Site on Chrome / Firefox / other browsers enforcing CORS policies

This is not really a question as it is a statement to the Intuit / Turbotax web team flagging serious issues related to logging in and sending any form that requires a POST. I was unable to find a place/forum where I could submit technical feedback about the web site or related issues so am posting a discussion here.

I was attempting to log into my Turbotax account on Chrome and Firefox and initially thought that failed login messages were due to a forgotten password. Attempts to reset my password via email, phone, and other verification were also unsuccessful and each form I filled out to request a reset never successfully submitted. 

I am a software architect so took a look at the console errors where I was having issues - it seems that that the Turbo Tax site has a wildcard (*) set for the Access-Con[product key removed]n header which is blocked by the built-in policy for both Chrome and Firefox. This will result in errors such as "Access to fetch at 'https://prod-services.myturbotax.intuit.com/services/mytt/v2/dashboardState?_=[phone number removed]...' from origin 'https://myturbotax.intuit.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Con[product key removed]n' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'."

I had to explicitly disable built-in CORs enforcement for Chrome and Firefox to be able to POST any form but wanted to flag this issue to the Turbo Tax web team because it is a security issue. 




posted
‎April 18, 2020 3:23 PM
last updated ‎April 18, 2020 3:23 PM
0
187
Reply
Bookmark Icon
Connect with an expert
x
Do you have an Intuit account?

Do you have an Intuit account?

You'll need to sign in or create an account to connect with an expert.

Still have questions?

Make a post
Featured forums
Taxes
Lower Debt
Investing
Self-Employed
All topics
Live Full Service: Taxes Done for you! Get matched with a local tax expert who can do your taxes, start-to-finish, the same day. Start for free!
message box icon

Get more help

Ask questions and learn more about your taxes and finances.

Post your Question

Related Content

crash12_mn
Kawika808
Mark_NC
klhrabosky
4theonetruejax-g

Did the information on this page answer your question?

thumb-up Yes
thumb-down No
close icon
checkmark

Thank you for helping us improve the TurboTax Community!

Sign in to Turbotax

and start working
on your taxes

File your taxes, your way

Get expert help
or do it yourself.

Get started
close icon
icon help

Access additional help, including our tax experts

Post your question

to receive guidance
from our tax experts and community.

Connect with an expert

Real experts - to help
or even do your taxes for you.

Get started
Manage cookies