Response to preflight request doesn t pass access control check

Question

I m getting this error using ngResource to call a REST API on Amazon Web Services   XMLHttpRequest cannot load http   server apiurl com 8000 s login login facebook  Response to preflight request doesn t pass access control check  No  Access-Control-Allow-Origin  header is present on the requested resource  Origin  http   localhost  is therefore not allowed access  Error 405  Service  socialMarkt factory  loginService      resource   function   resource        var apiAddress    quot http   server apiurl com 8000 s login  quot       return  resource apiAddress            login   quot facebook quot           access token   quot  access token quot           facebook id   quot  facebook id quot                   getUser                method   POST                          Controller        loginService getUser JSON stringify fbObj        function  data            console log data              function  result            console error  Error   result status                I m using Chrome  and I dont know what else to do in order to fix this problem  I ve even configured the server to accept headers from origin localhost

User · Answer

There are some caveats when it comes to CORS. First, it does not allow wildcards * but don't hold me on this one I've read it somewhere and I can't find the article now.

If you are making requests from a different domain you need to add the allow origin headers.

 Access-Control-Allow-Origin: www.other.com

If you are making requests that affect server resources like POST/PUT/PATCH, and if the mime type is different than the following application/x-www-form-urlencoded, multipart/form-data, or text/plain the browser will automatically make a pre-flight OPTIONS request to check with the server if it would allow it.

So your API/server needs to handle these OPTIONS requests accordingly, you need to respond with the appropriate access control headers and the http response status code needs to be 200.

The headers should be something like this, adjust them for your needs:

   Access-Control-Allow-Methods: GET, POST, PUT, PATCH, POST, DELETE, OPTIONS
   Access-Control-Allow-Headers: Content-Type
   Access-Control-Max-Age: 86400

The max-age header is important, in my case, it wouldn't work without it, I guess the browser needs the info for how long the "access rights" are valid.

In addition, if you are making e.g. a POST request with application/json mime from a different domain you also need to add the previously mentioned allow origin header, so it would look like this:

   Access-Control-Allow-Origin: www.other.com 
   Access-Control-Allow-Methods: GET, POST, PUT, PATCH, POST, DELETE, OPTIONS
   Access-Control-Allow-Headers: Content-Type
   Access-Control-Max-Age: 86400

When the pre-flight succeeds and gets all the needed info your actual request will be made.

Generally speaking, whatever Access-Control headers are requested in the initial or pre-flight request, should be given in the response in order for it to work.

There is a good example in the MDN docs here on this link, and you should also check out this SO post

User · Answer

I think disabling CORS from Chrome is not good way  because if you are using it in ionic  certainly in Mobile Build the Issue will raise Again   So better to Fix in your Backend   First of all In header  you need to set-   header  Access-Control-Allow-Origin       header  Header set Access-Control-Allow-Headers   Origin  X-Requested-With  Content-Type  Accept       And if API is behaving as GET and POST both then also Set in your header-     if    SERVER  REQUEST METHOD       OPTIONS        if    isset   SERVER  HTTP ACCESS CONTROL REQUEST METHOD             header  Access-Control-Allow-Methods  GET  POST  OPTIONS        if  isset   SERVER  HTTP ACCESS CONTROL REQUEST HEADERS             header  Access-Control-Allow-Headers       SERVER  HTTP ACCESS CONTROL REQUEST HEADERS        exit 0

User · Answer

You are running into CORS issues  There are several ways to fix workaround this   Turn off CORS  For example  how to turn off cors in chrome Use a plugin for your browser Use a proxy such as nginx  example of how to set up Go through the necessary setup for your server  This is more a factor of the web server you have loaded on your EC2 instance  presuming this is what you mean by  quot Amazon web service quot    For your specific server you can refer to the enable CORS website   More verbosely  you are trying to access api serverurl com from localhost  This is the exact definition of cross domain request  By either turning it off just to get your work done  OK  but poor security for you if you visit other sites and just kicks the can down the road  you can use a proxy which makes your browser think all requests come from local host when really you have local server that then calls the remote server  so api serverurl com might become localhost 8000 api and your local nginx or other proxy will send to the correct destination   Now by popular demand  100  more CORS info    same great taste   Bypassing CORS is exactly what is shown for those simply learning the front end  https   codecraft tv courses angular http http-with-promises

User · Answer

For python flask server  you can use the flask-cors plugin to enable cross domain requests   See   https   flask-cors readthedocs io en latest

User · Answer

Something that is very easy to miss     IN solution explorer  right-click api-project  In properties window set  Anonymous Authentication  to Enabled

User · Answer

Our team occasionally sees this using Vue  axios and a C  WebApi   Adding a route attribute on the endpoint you re trying to hit fixes it for us    Route  ControllerName Endpoint     HttpOptions  HttpPost  public IHttpActionResult Endpoint

User · Answer

A very common cause of this error could be that the host API had mapped the request to a http method  e g  PUT  and the API client is calling the API using a different http method  e g  POST or GET

User · Answer

If you re writing a chrome-extension You have to add in the manifest json the permissions for your domain s    quot permissions quot         quot http   example com   quot       quot https   example com   quot       quot http   www example com   quot       quot https   www example com   quot

User · Answer

JavaScript XMLHttpRequest and Fetch follow the same-origin policy  So    a web application using XMLHttpRequest or Fetch could only make HTTP   requests to its own domain    Source  https   developer mozilla org en-US docs Web HTTP Access control CORS  You have to send the Access-Control-Allow-Origin    HTTP header from your server side   If you are using Apache as your HTTP server then you can add it to your Apache configuration file like this    lt IfModule mod headers c gt      Header set Access-Control-Allow-Origin      lt  IfModule gt    Mod headers is enabled by default in Apache  however  you may want to ensure it s enabled by running    a2enmod headers

User · Answer

In PHP you can add the headers    lt  php header   Access-Control-Allow-Origin       header   Access-Control-Expose-Headers  Content-Length  X-JSON    header   Access-Control-Allow-Methods  GET  POST  PATCH  PUT  DELETE  OPTIONS    header   Access-Control-Allow-Headers

User · Answer

Using the Cors option in the API gateway  I used the following settings shown above Also  note  that your function must return a HTTP status 200 in response to an OPTIONS request  or else CORS will also fail

User · Answer

If you are using IIS server by chance  you can set below headers in the HTTP request headers option   Access-Control-Allow-Origin   Access-Control-Allow-Methods   HEAD  GET  POST  PUT  PATCH  DELETE  Access-Control-Allow-Headers   Origin  Content-Type  X-Auth-Token     with this all post  get etc   will work fine

User · Answer

I am using AWS sdk for uploads  after spending some time searching online i stumbled upon this thread  thanks to  lsimoneau 45581857 it turns out the exact same thing was happening  I simply pointed my request Url to the region on my bucket by attaching the region option and it worked    const s3   new AWS S3    accessKeyId  config awsAccessKeyID   secretAccessKey  config awsSecretAccessKey   region   eu-west-2      add region here

User · Answer

My  API Server  is an PHP Application so to solve this problem I found the below solution to work   Place the lines in index php  header  Access-Control-Allow-Origin       header  Access-Control-Allow-Methods  GET  POST  PATCH  PUT  DELETE  OPTIONS    header  Access-Control-Allow-Headers  Origin  Content-Type  X-Auth-Token

User · Answer

In my Apache VirtualHost config file  I have added following lines    Header always set Access-Control-Allow-Origin     Header always set Access-Control-Allow-Methods  POST  GET  OPTIONS  DELETE  PUT  Header always set Access-Control-Max-Age  1000  Header always set Access-Control-Allow-Headers  x-requested-with  Content-Type  origin  authorization  accept  client-security-token   RewriteEngine On RewriteCond   REQUEST METHOD  OPTIONS RewriteRule         1  R 200 L

User · Answer

In AspNetCore web api  this issue got fixed by adding  Microsoft AspNetCore Cors   ver 1 1 1  and adding the below changes on Startup cs   public void ConfigureServices IServiceCollection services         services AddCors options   gt                  options AddPolicy  AllowAllHeaders                   builder   gt                                    builder AllowAnyOrigin                               AllowAnyHeader                               AllowAnyMethod                                                      and   public void Configure IApplicationBuilder app  IHostingEnvironment env  ILoggerFactory loggerFactory             Shows UseCors with named policy      app UseCors  AllowAllHeaders                          and putting  EnableCors  AllowAllHeaders    on the controller

User · Answer

To fix cross-origin-requests issues in a Node JS application   npm i cors   And simply add the lines below to the app js  let cors   require  cors   app use cors

User · Answer

For those are using Lambda Integrated Proxy with API Gateway  You need configure your lambda function as if you are submitting your requests to it directly  meaning the function should set up the response headers properly   If you are using custom lambda functions  this will be handled by the API Gateway       In your lambda s index handler    exports handler    event  context  callback    gt           on success       callback null               statusCode  200             headers                     Access-Control-Allow-Origin

User · Answer

I have faced with this problem when DNS server was set to 8 8 8 8  google s   Actually  the problem was in router  my application tried to connect with server through the google  not locally  for my particular case   I have removed 8 8 8 8 and this solved the issue  I know that this issues solved by CORS settings  but maybe someone will have the same trouble as me

User · Answer

The standalone distributions of GeoServer include the Jetty application server  Enable Cross-Origin Resource Sharing  CORS  to allow JavaScript applications outside of your own domain to use GeoServer   Uncomment the following  lt filter gt  and  lt filter-mapping gt  from webapps geoserver WEB-INF web xml    lt web-app gt     lt filter gt         lt filter-name gt cross-origin lt  filter-name gt         lt filter-class gt org eclipse jetty servlets CrossOriginFilter lt  filter-class gt     lt  filter gt     lt filter-mapping gt         lt filter-name gt cross-origin lt  filter-name gt         lt url-pattern gt    lt  url-pattern gt     lt  filter-mapping gt   lt  web-app gt

User · Answer

For anyone using Api Gateway s HTTP API and the proxy route ANY   proxy   You will need to explicitly define your route methods in order for CORS to work   Wish this was more explicit in the AWS Docs for Configuring CORS for an HTTP API Was on a 2 hour call with AWS Support and they looped in one of their senior HTTP API developers  who made this recommendation  Hopefully this post can save some time and effort for those who are working with Api Gateway HTTP API

User · Answer

Disable the chrome security Create a chrome shortcut  right click -  properties -  target  paste this  C  Program Files  x86  Google Chrome Application chrome exe  --disable-web-security --user-data-dir  c  chromedev

User · Answer

It s easy to solve this issue just with few steps easily without worrying about anything  Kindly Follow the steps to solve it     open  https   www npmjs com package cors enabling-cors-pre-flight   go to installation and copy the command npm install cors to install via node terminal go to Simple Usage  Enable All CORS Requests  by scrolling then copy and paste the complete declartion in ur project and run it   that will work for sure   copy the comment code and paste in ur app js or any other project and give a try   this will work this will unlock every cross origin resource sharing  so we can switch between serves for your use

[javascript] Response to preflight request doesn't pass access control check

Examples related to javascript

Examples related to ajax

Examples related to http

Examples related to cors

Examples related to http-status-code-405