CORS header 'Access-Control-Allow-Origin' does not match... but it does‼

javascript http-headers cors firebug
23,844

Solution 1

The actual issue is that the Access-Control-Allow-Origin header should include the protocol, not just the hostname. It would be much better if the web browsers simply included this part in the error message.

So in the above, do:

headers.set("Access-Control-Allow-Origin", "http://pzmap.crash-override.net");

Solution 2

I wrestled with this same problem for hours, and discovered that I had added a forward slash to the end of my origin: https://foo.com/, when it should have been https://foo.com. (Talk about a major face-palm moment!)

My (now working) Express Node.JS setup:

const express = require('express');
const cors = require('cors');
const app = express();

app.use(cors({
  methods: 'GET,POST,PATCH,DELETE,OPTIONS',
  optionsSuccessStatus: 200,
  origin: 'https://foo.com'
}));
app.options('*', cors());

Solution 3

The comment #1 above is correct: CORS needs the Access-Control-Allow-Origin header to be match what the client's original request was (for an end-to-end SSL experience). So in this case, be sure you set pzmap.crash-override.net in your Access-Control-Allow-Origin headers.

Two notes:

1- Despite what you may read online, nginx currently requires multiple entries to be listed as separate lines, a la: add_header Access-Control-Allow-Origin "https://developers.google.com"; add_header Access-Control-Allow-Origin "https://imasdk.googleapis.com";

2 - Also despite what you may read online, usage of a wildcard is not ok. Not all clients (meaning browsers) allow it.

Share:
23,844

Related videos on Youtube

Tomáš Zato
Author by

Tomáš Zato

It might be easier to hire new management than to get a new community of volunteers. - James jenkins If you play League of Legends, check my repository: http://darker.github.io/auto-client/ I no longer play and I am actively looking for someone to maintain the project. It helped thousands of people, literally.

Updated on May 25, 2020

Comments

  • Tomáš Zato
    Tomáš Zato almost 4 years

    I'm making a very simple JSON API in Java. It's actually a Project Zomboid mod that serves object coordinates. This is how my HTTP handler looks like:

    public class JSONZomboid implements HttpHandler
{
    @Override
    public void handle(HttpExchange t) throws IOException {
        // HEADERS
        Headers headers = t.getResponseHeaders();
        headers.set("Content-Type", "text/json");   
        headers.set("Access-Control-Allow-Origin", "pzmap.crash-override.net");                 
        t.sendResponseHeaders(200,0);
        //BODY
        OutputStream os = t.getResponseBody();
        os.write("{\n".getBytes());
          // generate JSON here
        os.write("}".getBytes());
        os.close();
    }
}

    I want to load this into Project Zomboid map project using userscript which means I need to enable CORS to connect. This is done via simple code:

    PlayerRenderer.prototype.fetchInfo = function() {
  $.get("http://127.0.0.1:8000/test", {}, this.displayPoints.bind(this));
}

    But I get this error:

    Warning: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:8000/test. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'pzmap.crash-override.net').

    Even in the console I can clearly see the error is misleading:

    image description

    If I didn't already hate CORS, I'd start to hate it now. Can you please tell me what is the actual string that belongs in the allow origin header?

    • Pointy
      Pointy about 8 years
      The header should have the hostname of the site that is allowed access to the content. If you are loading your pages from a site hosted at pzmap.crash-override.net then it should work. The error is telling you what the header contains, not what the source domain was.
    • Tomáš Zato
      Tomáš Zato about 8 years
      You can see which site I'm loading from in the request headers (Origin and Referer).
    • Pointy
      Pointy about 8 years
      Actually it's very hard to see the detail in those images on a little screen :/
    • Pointy
      Pointy about 8 years
      Also I think the header value may need to be a complete URI, like http://pzmap.crash-override.net
    • MMM
      MMM over 7 years
      the #1 comment helped me a lot! thanks!! :-)
  • Mandakh
    Mandakh about 3 years
    headers.set("Access-Control-Allow-Origin", "pzmap.crash-override.net/"); is also not working, end up spent 2 hours to resolve removing last slash symbol... :(

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

CORS and Origin header?
CORS error :Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response
Nodejs Express CORS issue with 'Access-Control-Allow-Origin'
CORS Access-Control-Allow-Origin despite correct headers
THREE.js: Cross-origin image load denied by Cross-Origin Resource Sharing policy
Cross domain Missing required request header error with node.js
Sending data via request header vs sending data via request body
alert() return different from console.log()?
Calling custom functions from firebug console
Enabling CORS (Cross Origin Request) in Django