CORS errors

Draft
This page is not complete.

Cross-Origin Resource Sharing (CORS) is a standard that allows a server to relax the same-origin policy. Typically, this is used to explicitly allow some cross-origin requests while rejecting others. Setting up such a CORS configuration isn't necessarily easy and might present some challenges. We'll look into some common error messages and how to resolve them.

If the CORS configuration isn't setup correctly, the browser console will present an error like "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the CORS security rules. This might not necessarily be a set-up mistake, though. It's possible that the request is intentionally not allowed by the user's web application and remote external service. However, If it is intended to access the endpoint, some debugging is needed to succeed.

Identifying the issue

To find out the underlying issue with the CORS configuration, you need to find out which request is at fault and why.

  1. Navigate to the web site or web app in question and open the Developer Tools.
  2. Now try to reproduce the failing transaction and check the console if you are seeing a CORS violation error message. It will probably look like this:

Firefox console showing CORS error

CORS error messages

Firefox will throw CORS error messages for various reasons:

See also

Document Tags and Contributors

Contributors to this page: fscholz
Last updated by: fscholz,