Problems with Turbo Tax Web Site on Chrome / Firefox / other browsers enforcing CORS policies
This is not really a question as it is a statement to the Intuit / Turbotax web team flagging serious issues related to logging in and sending any form that requires a POST. I was unable to find a place/forum where I could submit technical feedback about the web site or related issues so am posting a discussion here.
I was attempting to log into my Turbotax account on Chrome and Firefox and initially thought that failed login messages were due to a forgotten password. Attempts to reset my password via email, phone, and other verification were also unsuccessful and each form I filled out to request a reset never successfully submitted.
I am a software architect so took a look at the console errors where I was having issues - it seems that that the Turbo Tax site has a wildcard (*) set for the Access-Con[product key removed]n header which is blocked by the built-in policy for both Chrome and Firefox. This will result in errors such as "Access to fetch at 'https://prod-services.myturbotax.intuit.com/services/mytt/v2/dashboardState?_=[phone number removed]...' from origin 'https://myturbotax.intuit.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Con[product key removed]n' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'."
I had to explicitly disable built-in CORs enforcement for Chrome and Firefox to be able to POST any form but wanted to flag this issue to the Turbo Tax web team because it is a security issue.
You have clicked a link to a site outside of the TurboTax Community. By clicking "Continue", you will leave the Community and be taken to that site instead.