This page is not complete.
Cross-Origin Resource Sharing (CORS) is a standard that allows a server to relax the same-origin policy. Typically, this is used to explicitly allow some cross-origin requests while rejecting others. Setting up such a CORS configuration isn't necessarily easy and might present some challenges. We'll look into some common error messages and how to resolve them.
If the CORS configuration isn't setup correctly, the browser console will present an error like "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the CORS security rules. This might not necessarily be a set-up mistake, though. It's possible that the request is intentionally not allowed by the user's web application and remote external service. However, If it is intended to access the endpoint, some debugging is needed to succeed.
Identifying the issue
To find out the underlying issue with the CORS configuration, you need to find out which request is at fault and why.
- Navigate to the web site or web app in question and open the Developer Tools.
- Now try to reproduce the failing transaction and check the console if you are seeing a CORS violation error message. It will probably look like this:
CORS error messages
Firefox will throw CORS error messages for various reasons:
- Reason: CORS disabled
- Reason: CORS request did not succeed
- Reason: CORS header ‘Origin’ cannot be added
- Reason: CORS request external redirect not allowed
- Reason: CORS request not http
- Reason: CORS header ‘Access-Control-Allow-Origin’ missing
- Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘xyz’
- Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
- Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
- Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
- Reason: CORS preflight channel did not succeed
- Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
- Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
- Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel