CORS header 'Access-Control-Allow-Origin' does not match... but it does‼

S

6

35

I'm making a very simple JSON API in Java. It's actually a Project Zomboid mod that serves object coordinates. This is how my HTTP handler looks like:

public class JSONZomboid implements HttpHandler
{
    @Override
    public void handle(HttpExchange t) throws IOException {
        // HEADERS
        Headers headers = t.getResponseHeaders();
        headers.set("Content-Type", "text/json");   
        headers.set("Access-Control-Allow-Origin", "pzmap.crash-override.net");                 
        t.sendResponseHeaders(200,0);
        //BODY
        OutputStream os = t.getResponseBody();
        os.write("{\n".getBytes());
          // generate JSON here
        os.write("}".getBytes());
        os.close();
    }
}

I want to load this into Project Zomboid map project using userscript which means I need to enable CORS to connect. This is done via simple code:

PlayerRenderer.prototype.fetchInfo = function() {
  $.get("http://127.0.0.1:8000/test", {}, this.displayPoints.bind(this));
}

But I get this error:

Warning: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:8000/test. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'pzmap.crash-override.net').

Even in the console I can clearly see the error is misleading:

image description

If I didn't already hate CORS, I'd start to hate it now. Can you please tell me what is the actual string that belongs in the allow origin header?

Syzygy answered 9/2, 2016 at 22:43 Comment(6)

The header should have the hostname of the site that is allowed access to the content. If you are loading your pages from a site hosted at pzmap.crash-override.net then it should work. The error is telling you what the header contains, not what the source domain was. – Preside 9/2, 2016 at 22:46

You can see which site I'm loading from in the request headers (Origin and Referer). – Ananna 9/2, 2016 at 22:51

Actually it's very hard to see the detail in those images on a little screen :/ – Preside 9/2, 2016 at 22:58

Also I think the header value may need to be a complete URI, like http://pzmap.crash-override.net – Preside 9/2, 2016 at 23:2

the #1 comment helped me a lot! thanks!! :-) – Vierno 23/12, 2016 at 9:48

Thank you for the screenshot. Made me look at my network requests and noticed a trailing slash was the difference. – Exacerbate 28/8, 2022 at 19:35

C

11

The actual issue is that the Access-Control-Allow-Origin header should include the protocol, not just the hostname. It would be much better if the web browsers simply included this part in the error message.

So in the above, do:

headers.set("Access-Control-Allow-Origin", "http://pzmap.crash-override.net");

Contrabass answered 24/5, 2018 at 15:42 Comment(1)

headers.set("Access-Control-Allow-Origin", "pzmap.crash-override.net/"); is also not working, end up spent 2 hours to resolve removing last slash symbol... :( – Tiberius 28/3, 2021 at 15:46

D

20

I wrestled with this same problem for hours, and discovered that I had added a forward slash to the end of my origin: https://foo.com/, when it should have been https://foo.com. (Talk about a major face-palm moment!)

My (now working) Express Node.JS setup:

const express = require('express');
const cors = require('cors');
const app = express();

app.use(cors({
  methods: 'GET,POST,PATCH,DELETE,OPTIONS',
  optionsSuccessStatus: 200,
  origin: 'https://foo.com'
}));
app.options('*', cors());

Disequilibrium answered 14/5, 2018 at 2:46 Comment(1)

And I even thought about that trailing slash when I pasted the URL copied from my browser and wondered whether that should be removed... ;-) – Swafford 7/1, 2023 at 16:1

C

11

The actual issue is that the Access-Control-Allow-Origin header should include the protocol, not just the hostname. It would be much better if the web browsers simply included this part in the error message.

So in the above, do:

headers.set("Access-Control-Allow-Origin", "http://pzmap.crash-override.net");

Contrabass answered 24/5, 2018 at 15:42 Comment(1)

headers.set("Access-Control-Allow-Origin", "pzmap.crash-override.net/"); is also not working, end up spent 2 hours to resolve removing last slash symbol... :( – Tiberius 28/3, 2021 at 15:46

S

7

The comment #1 above is correct: CORS needs the Access-Control-Allow-Origin header to be match what the client's original request was (for an end-to-end SSL experience). So in this case, be sure you set pzmap.crash-override.net in your Access-Control-Allow-Origin headers.

Two notes:

1- Despite what you may read online, nginx currently requires multiple entries to be listed as separate lines, a la: add_header Access-Control-Allow-Origin "https://developers.google.com"; add_header Access-Control-Allow-Origin "https://imasdk.googleapis.com";

2 - Also despite what you may read online, usage of a wildcard is not ok. Not all clients (meaning browsers) allow it.

Slighting answered 26/10, 2016 at 18:10 Comment(0)

P

6

This error can also occur if the response includes more than one Access-Control-Allow-Origin header.

Parfitt answered 3/4, 2023 at 22:59 Comment(0)

S

1

Make sure your server return status 200 in Preflight request.

This error can also occur if server return Status Code !=200 in Preflight request. In my case my server already return Access-Control-Allow-Origin match origin but the status code was 302 cause this error.

Supramolecular answered 15/6, 2024 at 6:57 Comment(0)

D

0

for people who were not able to fix the above issue given the answer.

there can be another reason for this same cors error.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin

refer this for example.

i was encountering this same cors error when i was consuming the duplicate following response headers

HTTP/2 200 
date: Mon, 15 Jul 2024 06:14:48 GMT
content-type: application/json; charset=utf-8
access-control-allow-credentials: true
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-allow-origin: *
access-control-expose-headers: Content-Length
access-control-expose-headers: Content-Length
X-Firefox-Spdy: h2

the request is succeeding with status code 200 but the browser doesn't allow the access of the response due to inconsistent response headers

Driftage answered 15/7, 2024 at 6:45 Comment(0)

Recommended topics

Hot tags