Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
lexstile2022-01-19 11:56:56
PHP
lexstile, 2022-01-19 11:56:56

How to fix Access-Control-Allow-Origin issue?

FE: xn--80aswg.xn--p1ai
BE: api1.xn--80aswg.xn--p1ai

Requests from FE fail according to cors policy with the following error:

Access to XMLHttpRequest at ' https://api1.xn--80aswg.xn--p1ai/v1/app.callPayment ' from origin ' https://xn--80aswg.xn--p1ai ' has been blocked by CORS policy : Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.


Tried many different combinations, this is the last one that didn't work:
spoiler
if (isset($_SERVER['HTTP_ORIGIN'])) {
    // Decide if the origin in $_SERVER['HTTP_ORIGIN'] is one
    // you want to allow, and if so:
    header('Access-Control-Allow-Origin: '. $_SERVER['HTTP_ORIGIN']);
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 1000');
}

if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
        header("Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE");
    }

    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
        header("Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization");
    }
    exit();
}

Request headers:
spoiler
Request URL: https://api1.xn--80aswg.xn--p1ai/v1/app.callPayment
Referrer Policy: strict-origin-when-cross-origin
Provisional headers are shown
Learn more
Accept: application/json, text/plain, */*
Authorization: dmtfYWNjZXNzX3Rva2VuX3NldHRpbmdzPSZ2a19hcHBfaWQ9MTAwMCZ2a19hcmVfbm90aWZpY2F0aW9uc19lbmFibGVkPTAmdmtfaXNfYXBwX3VzZXI9MCZ2a19pc19mYXZvcml0ZT0wJnZrX2xhbmd1YWdlPXJ1JnZrX3BsYXRmb3JtPWRlc2t0b3Bfd2ViJnZrX3JlZj1vdGhlciZ2a190cz0xNjQyNTgxNjA4JnZrX3VzZXJfaWQ9MTAwMCZzaWduPVdfamt4cndpR011ZGFrVEYzTk9nbFdiNFdUcmhfYkRLalNYMUI3S05fMXc=
Content-Type: application/json;charset=UTF-8
Referer: https://xn--80aeiblxo7evb.xn--p1ai/
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
withCredentials: true


The domain xn--80aswg.xn--p1ai is used as an example. In my case, the scheme of work is similar - a Cyrillic domain with a Latin subdomain.

Calling the prerequest with the OPTIONS method returned a 499 response code.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Anton Anton, 2022-01-19
@Fragster

You need to add "unsafe" request headers to Access-Control-Allow-Headers, or even an asterisk.

Similar questions
M
Mikhail Potapenkov2016-06-13 18:20:30
On initial startup, the OS issues a blue screen 0x0000007B. What does it mean? 4Reply
E
Evgeny Samsonov2015-04-05 17:45:37
What is the name of the USB device? 3Reply
S
sergeybogevolny2015-04-06 21:36:50
Is there an example of interaction between bootstrap wizard form and php? 2Reply
D
deadmemoras2016-06-18 10:28:34
Work abroad without experience? 10Reply
T
thehighhomie2018-11-30 12:28:13
Plugin to generate PDF from JavaScript? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question