Skip to main content

Questions tagged [cors]

Ask Question

Use this tag when you see a message in the browser devtools console about CORS (Cross-Origin Resource Sharing) — e.g., your browser logged an error about Access-Control-Allow-Origin, and you want to know how to eliminate the error. Also for other questions on the CORS protocol (defined in the Fetch Standard as a way to use response headers to tell browsers to relax the same-origin policy and allow cross-origin XHR/Fetch/Ajax requests).

cors
14,643 questions
Newest Active Bountied Unanswered
3325 votes
16 answers
6.4m views

Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?

Mod note: This question is about why XMLHttpRequest/fetch/etc. on the browser are subject to the Same Access Policy restrictions (you get errors mentioning CORB or CORS) while Postman is not. This ...
Mr Jedi's user avatar
Mr Jedi
  • 34.4k
1606 votes
20 answers
2.6m views

How does the 'Access-Control-Allow-Origin' header work?

Apparently, I have completely misunderstood its semantics. I thought of something like this: A client downloads JavaScript code MyCode.js from http://siteA - the origin. The response header of MyCode....
mark's user avatar
mark
  • 61.2k
1395 votes
35 answers
1.2m views

Access-Control-Allow-Origin Multiple Origin Domains?

Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header? I'm aware of the *, but it is too open. I really want to allow just a couple domains. As an example, ...
Thomas J Bradley's user avatar
Thomas J Bradley
  • 14.2k
1306 votes
33 answers
3.9m views

No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API

I'm trying to fetch some data from the REST API of HP Alm. It works pretty well with a small curl script—I get my data. Now doing that with JavaScript, fetch and ES6 (more or less) seems to be a ...
daniel.lozynski's user avatar
daniel.lozynski
  • 16.1k
768 votes
37 answers
905k views

Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?

I am trying to support CORS in my Node.js application that uses the Express.js web framework. I have read a Google group discussion about how to handle this, and read a few articles about how CORS ...
mikong's user avatar
mikong
  • 8,340
731 votes
27 answers
2.4m views

Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header

I'm getting this error using ngResource to call a REST API on Amazon Web Services: XMLHttpRequest cannot load http://server.apiurl.com:8000/s/login?login=facebook. Response to preflight request doesn'...
Andre Mendes's user avatar
Andre Mendes
  • 7,637
611 votes
16 answers
716k views

Why is an OPTIONS request sent and can I disable it?

I am building a web API. I found whenever I use Chrome to POST, GET to my API, there is always an OPTIONS request sent before the real request, which is quite annoying. Currently, I get the server to ...
user avatar
user1663023
596 votes
17 answers
835k views

“Origin null is not allowed by Access-Control-Allow-Origin” error for request made by application running from a file:// URL

I'm developing a page that pulls images from Flickr and Panoramio via jQuery's AJAX support. The Flickr side is working fine, but when I try to $.get(url, callback) from Panoramio, I see an error in ...
Drew Noakes's user avatar
Drew Noakes
  • 308k
543 votes
9 answers
124k views

What is the motivation behind the introduction of preflight CORS requests?

Cross-origin resource sharing is a mechanism that allows a web page to make XMLHttpRequests to another domain (from Wikipedia). I've been fiddling with CORS for the last couple of days and I think I ...
Jan Groth's user avatar
Jan Groth
  • 14.5k
515 votes
12 answers
1.2m views

Trying to use fetch and pass in mode: no-cors

I can hit this endpoint, http://catfacts-api.appspot.com/api/facts?number=99 via Postman and it returns JSON Additionally I am using create-react-app and would like to avoid setting up any server ...
dwww's user avatar
dwww
  • 5,408
503 votes
12 answers
802k views

CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

I have a setup involving Frontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000) Browser <-- webapp <-- Node.js (Serve the app) Browser (...
ixaxaar's user avatar
ixaxaar
  • 6,659
483 votes
15 answers
638k views

Access-Control-Allow-Origin wildcard subdomains, ports, and protocols

I'm trying to enable CORS for all subdomains, ports, and protocol. For example, I want to be able to run an XHR request from http://sub.mywebsite.example:8080/ to https://www.mywebsite.example/* ...
Elie's user avatar
Elie
  • 7,225
452 votes
5 answers
349k views

How can you debug a CORS request with cURL?

How can you debug CORS requests using cURL? So far I couldn't find a way to "simulate" the preflight request.
themihai's user avatar
themihai
  • 8,333
443 votes
27 answers
1.1m views

Request header field Access-Control-Allow-Headers is not allowed by itself in preflight response

I have come across CORS issues multiple times and can usually fix it but I want to really understand by seeing this from a MEAN stack paradigm. Before I simply added middleware in my express server ...
mibbit's user avatar
mibbit
  • 5,295
433 votes
3 answers
170k views

What are the integrity and crossorigin attributes?

Bootstrapcdn recently changed their links. It now looks like this: <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" integrity="sha256-...
New user's user avatar
New user
  • 4,339

15 30 50 per page
1
2 3 4 5
977