Admin forbidden CORS error tinymce-cms

Silverstripe Version:5


After upgrading to SS-5 I can log into the admin area and everything seems to work, but as soon as I try to open a page I only get to see the preview window on the right and a “Forbidden” and the left hand side is apart from the menu and headings empty. No fields to enter.

In the browser network tab I can see that it is a 403 “strict-origin-when-cross-origin” for the tinmce-cms-xxx.js file.

Locally I have no problem with it and the website runs smoothly on a test-server on a different hosting company’s server.

Has anybody any idea what might cause this? Are there any special settings somewhere on the server I have to set?

It might be related to this issue: SS4.3.0 "Forbidden" error message arises when trying to edit a page · Issue #2357 · silverstripe/silverstripe-cms · GitHub but I don’t have any files with more than one “.” although I tried this fix, but still didn’t work.

Assets folder permission is “0755”, _tinymce folder “700” and file (tinymce-cms-xxxx.js) permission “0664”. On the other server I believe is the same permission setting: asset folder: drwxrwxr-x, _tinymce folder: drwx------ and file: -rw-rw-r–

The hosting company suggested to change the permission of the _tinymce folder to 755, but that didn’t help either. As it turns out the permission get set back to 700 automatically.

It might also be related to admin/pages/edit/show/ID throws 404 errors

So, what could be the reason why it works on one server and not on the other?

Just in case anybody else has the same issue here is the solution that worked for me:

      public: 0644
      private: 0644
      public: 0755
      private: 0755

It seems this issue is around for quite some time:

I also found out the problem in different hosting company’s set-up.
On the server where the _tinymce works with permission 700 the “owner” and “group” are the same whereas on the other hosting server they are different.