CORS policy problem: Access-Control-Allow-Origin

FredM · March 16, 2021, 12:29pm

Strapi Version: 3.0.0-beta.17.8

Well everything worked and for some reason my site just got blocked today.
I got this problem:
been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

On my local it is working great, but for some reason I have this problem in the production.

sunnyson · March 16, 2021, 1:48pm

Since you are using an outdated version strapi, do you have separate server.js files per environment?

FredM · March 16, 2021, 3:04pm

Yes, I have different server.json files for each environment.

sunnyson · March 16, 2021, 3:15pm

Can you attach middlewares and server configurations? You can replace the private fields.

FredM · March 17, 2021, 7:09am

This is my prod server:

{
  "host": "......",
  "port": "${process.env.PORT || 1337}",
  "production": true,
  "ssl": true,
  "proxy": {
    "enabled": false,
    "host": ".....",
    "ssl": true
  },
  "cron": {
    "enabled": false
  },
  "admin": {
    "autoOpen": false,
    "build": {
      "backend": "......"
    }
  }
}

And this is my prod security:

{
  "csp": {
    "enabled": true,
    "policy": ["block-all-mixed-content"]
  },
  "p3p": {
    "enabled": true,
    "value": ""
  },
  "hsts": {
    "enabled": true,
    "maxAge": 31536000,
    "includeSubDomains": true
  },
  "xframe": {
    "enabled": true,
    "value": "SAMEORIGIN"
  },
  "xss": {
    "enabled": true,
    "mode": "block"
  },
  "cors": {
    "enabled": false,
    "headers": "*"
  },
  "ip": {
    "enabled": false,
    "whiteList": [],
    "blackList": []
  }
}

And this is my middleware:

{
  "timeout": 100,
  "load": {
    "before": ["responseTime", "logger", "cors", "responses", "gzip"],
    "order": [
      "Define the middlewares' load order by putting their name in this array is the right order"
    ],
    "after": ["parser", "router"]
  },
  "settings": {
    "cors": {
      "enabled": true,
      "headers": "*"
    }
  }
}

FredM · March 17, 2021, 7:11am

It seems that maybe there is a problem with graphql, it can’t get it with POST.

sunnyson · March 17, 2021, 8:12am

In security you have:

cors": {
    "enabled": false,
    "headers": "*"
  },

It should be enabled

FredM · March 17, 2021, 8:28am

Yeah it was true and I had the same issue.

sunnyson · March 17, 2021, 9:44am

Then I would recommend you to upgrade to a stable version:

kevinkatler · July 13, 2021, 12:44pm

You have to understand that the CORS behavior is not an error — it’s a mechanism that’s working as expected in order to protect your users, you, or the site you’re calling. If I understood it right you are doing an XMLHttpRequest to a different domain than your page is on. So the browser is blocking it as it usually allows a request in the same origin for security reasons. You need to do something different when you want to do a cross-domain request. In this case you need to enable your service for CORS which is cross origin resource sharing.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999

faisalramdan17 · March 26, 2022, 11:09am

I get the same issue when calling ?filters[slug][$eq]=.
I used Plesk in DO server then you can try this.
Disable Proxy Mode at Nginx Settings.

Go to Nginx Settings.
Disable or Uncheck Proxy Mode

Thanks

LuisAlaguna · May 2, 2024, 10:32pm

I’m having the same issue in Strapi v4 in developer mode.