Few requests to Here Map API returns 200 response but most of requests are blocked due to CORS and returns 301 response.
Error Message in browser console: Access to XMLHttpRequest at 'http://2.base.maps.cit.api.here.com/maptile/2.1/maptile/24c3a120e9/normal.day/10/840/607/256/png8?xxxxxxxx' from origin 'http://google.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
200 Response:
301 Response:
This can be solved by removing the "CIT" from the request.
Regards.
Related
I'm working on building a web application that communicates with a Laravell API through an Nginx server. I tried following the directions on the Nginx website for wide open cors, but it doesn't like the wild card response when sending credentials.
Access to fetch at 'https://api.***.com/' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'.
The API server requires a Bearer access token to authenticate, and each endpoint is at its own path on the server. What is the correct way to configure Nginx in this scenario?
The error message is right, you can't use a wildcard origin and credentials:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
Instead, just pass back the actual origin, the one that arrived in the Origin HTTP header, then it will always match:
add_header Access-Control-Allow-Origin $http_origin always;
I used visual studio net 2.1 and a local sql database for my site on AWS. The first page comes up but when I try to put in a comment and the code routes to another page on my site I get this console error and the page is not routed to in the browser:
Access to XMLHttpRequest at 'https...' from origin 'https://www.....dev' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is the startup.cs file
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
);
});
app.UseCors("CorsPolicy");
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
For some CORS requests, the browser sends an additional OPTIONS request before making the actual request. This request is called a preflight request. The browser can skip the preflight request if all the following conditions are true:
The request method is GET, HEAD, or POST.
The app doesn't set request headers other than Accept, Accept-Language, Content-
Language, Content-Type, or Last-Event-ID.
The Content-Type header, if set, has one of the following values:
application/x-www-form-urlencoded
multipart/form-data
text/plain
AllowAnyOrigin affects preflight requests and the Access-Control-Allow-Origin header.
The preflight request uses the HTTP OPTIONS method. It may include the following headers:
Access-Control-Request-Method: The HTTP method that will be used for the actual request.
Access-Control-Request-Headers: A list of request headers that the app sets on the actual request.
Access-Control-Allow-Methods
Try allowing specific origins, methods and headers.
For more information can check the below link:
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.1#preflight-requests
THe answer is to enable the api-gateway in AWS
In API Gateway Console click the Actions dropdown and select Deploy API.
This eliminated the CORS issue.
I am trying to develop with an active CosmosDB locally. I have tried adding both my local IP/domain, as well as a wildcard * in the CORS section of CosmosDB without success.
I have also exported the resource template and see that there is no CORS property in the manifest.
The CORS errors are below:
In Chrome: Access to fetch at 'https://--.documents.azure.com/' from origin 'https://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
In firefox: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://--.documents.azure.com/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
I successfully use CORS from my local 'origin' with Functions.
In my wordpress website there have a issue:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://fonts.gstatic.com/s/opensans/v13(Reason: CORS header 'Access-Control-Allow-Origin' missing)
I'm getting an error like this in Firefox, when I make an AJAX call to obtain an access token.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost:44302/identity/connect/token. (Reason: CORS preflight channel did not succeed)
I setup my CORS configuration to allow almost anything in web.config and I still get this error. Here are my request and response headers.
Any ideas why it's not going through?