Cross-Reference Origin Sharing (CORS)
CORS Errors
This article provides a short description related to the Cross-Reference Origin Sharing (CORS) errors that can appear on your requests through applications.
What is CORS?
CORS is a standard that allows interactions with resources from a different origin. Based on the same-origin-policy (security mechanism) to prevent how a document or script loaded from one origin can interact with resources from another origin.
If the CORS is not configured you can see the error on the console's browser indicating that the request was blocked: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite".
When do I know if the requests are from the same origin?
It is simple if the two URLs have the same protocol, host, and port.
This an example of compliance with the same-origin-policy
https://localhost:80/index.html request data to https://localhost:80/api/user/75214
This an example of non-compliance with the same-origin-policy
https://localhost:80/index.html request data to https://example.com:80/api/user/75214
What kind of errors could appear?
When a CORS error is shown on the console, a part of the text is a reason message indicating what went wrong. The following list describes the most common CORS errors:
-
Reason: A request was attempted but CORS is disabled on your browser.CORS DISABLED
Solution: You need to navigate into setting's browser and set the option content.cors.disable false. -
Reason: An HTTP request fails for network or protocol level. In some cases is caused for a plugin or extension or because the second origin has an invalid certificate.CORS request did not succeed
Solution: Retry the request and disable the plugins and extensions. Check if the second origin is available and has a valid certificate. -
Reason: The web browser cannot add the required origin header to the HTTP request.CORS header ‘Origin’ cannot be added
Solution: Verify if the script is not running with enhanced privileges. -
Reason: The request redirects to another origin (not the original).CORS request external redirect not allowed
Solution: Update the URL on your server's code. -
Reason: The request is not redirected to a valid HTTP URL, for example, file:/// URL.CORS request not HTTP
Solution: Check the URL in your server's code. -
Reason: The response is missing the Acces-Control-Allow-Origin header.CORS header 'Access-Control-Allow-Origin' missing
Solution: Add the origin to the header of the request. Access-Control-Allow-Origin: https://rackspace.com or you can use * to allow access from any site. -
Reason: The response includes more than one Access-Control-Allow-Origin.CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
Solution: Make sure the CORS request is configured to include your origin in its Access-Control-Allow-Origin header and only has an Access-Control-Allow-Origin header. -
Reason: The CORS request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of Access-Control-Allow-Origin, which doesn't allow the use of credentials.Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
Solution: Ensure that the credentials flag's value is false when issuing your CORS request.
XMLHttpRequest setting the value of withCredentials to false.
Server-sent events make sure EventSource.withCredentials is false (it's the default value).
If using the Fetch API, make sure Request.credentials is "omit". -
Reason: The method of the HTTP request is not included in the list of Access-Control-Allow-Methods header.Did not find method in CORS header ‘Access-Control-Allow-Methods’
Solution: Configure the header with the needed methods: Access-Control-Allow-Methods: GET,HEAD,POST -
Reason: When the server's Access-Control-Allow-Credentials header's value is not set to true to enable their use.Expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
Solution: On the client side revise the following configuration:
XMLHttpRequest setting the value of withCredentials to false.
Server-sent events make sure EventSource.withCredentials is false (it's the default value).
If using the Fetch API, make sure Request.credentials is "omit".
To eliminate this error on the server-side set Access-Control-Allow-Credentials value to true. -
Reason: The CORS request requires and preflight and preflighting could not be performed. A cross-site request already did a preflight. The preflight request suffered any networking error.CORS preflight channel did not succeed
Solution: Verify that your code only preflight once per connection. -
Reason: This occurs when the response to the CORS includes Access-Control-Allow-Methods and at least one is an invalid header method.Invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
Solution: Verify that all methods in the Access-Control-Allow-Methods are valid HTTP methods. -
Reason: This occurs when the response to the CORS includes Access-Control-Allow-Methods and at least one is an invalid header name.invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
Solution: Verify that all header names in Access-Control-Allow-Headers are not invalid or unknown. -
Reason: This error occurs when attempting to preflight a header that is not included in the list specified by the Access-Control-Allow-Headers header.Missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
Solution: The server needs to be updated so that it allows the indicated header or avoids it. -
Reason: More than one Access-Control-Allow-Origin header was sent by the server.Multiple CORS header 'Access-Control-Allow-Origin' not allowed
Solution: Verify in your server that you cannot send a list of origins because the browsers only accept a single origin or null.
Conclusions
This article shows the different type of errors and possible solutions you can get while using CORS within your web server.
Updated 12 months ago