Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [cors]

Cross-Origin Resource Sharing (CORS) is a specification that enables open access across domain-boundaries

A mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this specification (e.g., specifying Access-Control-Allow-Origin: http://example.org as response header), which would allow that resource to be fetched cross-origin from http://example.org.

http://www.w3.org/TR/cors/

140 questions
229
votes
8 answers

How do I add Access-Control-Allow-Origin in NGINX?

How do I set the Access-Control-Allow-Origin header so I can use web-fonts from my subdomain on my main domain? Notes: You'll find examples of this and other headers for most HTTP servers in the HTML5BP Server Configs projects…
Chris McKee
  • 3,119
  • 2
  • 19
  • 16
50
votes
7 answers

Chrome S3 Cloudfront: No 'Access-Control-Allow-Origin' header on initial XHR request

I have a webpage (https://smartystreets.com/contact) that uses jQuery to load some SVG files from S3 through the CloudFront CDN. In Chrome I will open an Incognito window as well as the console. Then I will load the page. As the page loads, I will…
SunSparc
  • 968
  • 3
  • 10
  • 23
26
votes
4 answers

Setting Access-Control-Allow-Origin on Cloudfront

I am having problems serving static assets to Firefox using AWS Cloudfront. Chrome works perfect, but Firefox is returning a CORS error. If I execute curl , I get: HTTP/1.1 200 OK Content-Type: application/x-font-opentype Content-Length:…
Tony
  • 425
  • 2
  • 5
  • 14
13
votes
2 answers

How can I replace Access-Control-Allow-Origin header in proxy response with nginx

I am using a simple nginx instance to proxy REST calls to another server. The purpose of my proxy is to allow the use of cookies for authentication. I have it working, except for one problem. The server providing the REST service is sending the…
Michael Taylor
  • 233
  • 1
  • 2
  • 5
11
votes
1 answer

nginx if statement inside location returns 404

The following block location / { if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) { add_header 'Access-Control-Allow-Origin' "$http_origin"; } try_files $uri $uri/ /index.php?$args; } … causes a 404 as the above…
Spyros Lambrinidis
  • 626
  • 7
  • 8
9
votes
2 answers

Apache Header Module Loaded but can't set headers in htaccess

I have Apache 2.2.29 (unix) setup and running on my new dev machine (mac). I am trying to set CORS headers for an API project - something that I have done many times. The htaccess file for the project looks like this:
Dan Lake
  • 91
  • 1
  • 1
  • 4
9
votes
3 answers

Disable authentication for HTTP OPTIONS method (preflight request) in Nginx

My problem is the exact same one as described here: Disable authentication for HTTP OPTIONS method (preflight request). I'm trying to use CORS and HTTP passwords at the same time. When the browser see an bounced OPTIONS (status code 401), for some…
cleong
  • 281
  • 1
  • 2
  • 8
7
votes
1 answer

Disable authentication for HTTP OPTIONS method (preflight request)

One recurring problem with CORS is that the spec prescribes request headers get stripped from the preflight request (HTTP OPTIONS). However if the server requires authentication, this means the preflight request will fail (because the Authorization…
Jeroen Ooms
  • 2,187
  • 7
  • 32
  • 51
6
votes
1 answer

304 with CORS on apache

I have an REST API that returns a 304 Not Modified status code for some request (that have If-Modified-Since header). The problem is that the apache2 software strips any CORS header prior to the response being sent to the browser. This happens only…
user237329
  • 161
  • 3
5
votes
1 answer

Nginx add headers and proxy_pass for CORS bypass

I want to make CORS site with API on proxy_pass server. But location / { if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header…
eri
  • 274
  • 2
  • 4
  • 15
5
votes
1 answer

What AWS service to avoid CORS issues with S3 static content and aws backends

Introduction I've got the following architecture deployed on Amazon AWS. The goal is to expose a web application (single page application) acting as an entrypoint at https://app.acmecorp.com. This is a single page application that : serves static…
ddewaele
  • 333
  • 1
  • 4
  • 12
4
votes
0 answers

Nginx, PM2, Node - No 'Access-Control-Allow- Origin' header

I have developed NodeJS server ran with express. I use PM2 to manage the application and then nginx to proxy requests to the application. My Express application has CORS, CSP etc set up. But, the server does not respond in production and fails…
BugHunterUK
  • 331
  • 1
  • 2
  • 10
4
votes
0 answers

S3/Cloudfront CORS working on some files only

I'm really struggling to get Cloudfront and S3 to add Access-Control-Allow-Origin: * to the headers of video files stored on S3 (for inline video on iPhones - seems to be working everywhere else however inline video is only working on iPhones from…
beek
  • 205
  • 1
  • 10
4
votes
0 answers

Set CORS headers on nginx

Addresses like http://vpsxxx.ovh.net/g/search?q=ok or http://vpsxxx.ovh.net/so/questions/34738694/how-to-move-items-on-the-screen-for-a-game-using-javascript are proxied well, when trying them from the browser url bar But not from JS, even after…
caub
  • 149
  • 1
  • 4
4
votes
2 answers

CORS headers not added in Apache

I've been working on this issue for days. I'm a developer and my knowledge of these things is very limited, still there's no one available in this company to assist me with this issue. This really has to get resolved, as it's getting a blocking…
Bv202
  • 91
  • 5
1
2 3
9 10