encore icon indicating copy to clipboard operation
encore copied to clipboard
verified publisher icon encoredev

CORS Problem

Open verylovestars opened this issue 1 year ago • 7 comments

My encore.app config: { "id": "", "lang": "typescript", "global_cors": { "debug": true, "allow_origins_without_credentials": ["http://localhost:3000"], "allow_origins_with_credentials": ["http://localhost:3000"], "allow_headers": ["*"] } }

Steps to reproduce:

  1. Create a new TypeScript application
  2. Add an endpoint
  3. Send a request to it from a web client

Expectation: Request from web application will be executed without errors

Reality: Access to XMLHttpRequest at 'http://localhost:4000/auth.login' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

verylovestars avatar Oct 11 '24 15:10 verylovestars

How are you running it? With encore run, or with encore eject, or something else?

eandre avatar Oct 14 '24 15:10 eandre

I have the same problem. I have added all the CORS related headers but it doesn't work for some reason.

"global_cors": {
    "debug": true,
    "allow_headers": ["*"],
    "expose_headers": ["*"],
    "allow_origins_without_credentials": ["*"],
    "allow_origins_with_credentials": ["*"]
  }

I have a Go encore app and using TS generated client. It doesn't work on normal fetch as well.

It is working fine on from localhost:8080 (FE) -> localhost:4000(BE) but for some reason it doesn't work when you get the deployed URL.

cc @eandre

jeremyrx7 avatar Oct 23 '24 04:10 jeremyrx7

allow_origins_with_credentials doesn't support the wildcard match * because that's a security vulnerability in most cases. If you really need this you can use the value ["UNSAFE_ALL_ORIGINS_WITH_CREDENTIALS"], but as the name suggests it’s unsafe unless you know what you’re doing.

eandre avatar Oct 23 '24 07:10 eandre

@luvvvdev would you mind testing with the latest version of encore? Update with: encore version update

We've made some cors fixes that might relate to your problem, depending on where you see them? (is it via encore run, encore docker build or how are you running encore?)

fredr avatar Nov 26 '24 14:11 fredr

I am also facing this issue. I am using Encore v1.46.4 and have a TypeScript app. I generate a docker image using encore build. When the OPTIONS or preflight request is sent, the Encore app returns 405 Method Not Allowed.

It looks like Encore runtime is forwarding the OPTIONS request to the TypeScript code. After facing this issue, I wrote code to handle OPTIONS requests to return some headers and it confirmed my suspicions.

CC: @eandre @fredr I have posted this observation on Discord as well.

Anand-Doijode-SCT avatar Feb 26 '25 06:02 Anand-Doijode-SCT

I am also facing this issue. I am using Encore v1.46.4 and have a TypeScript app. I generate a docker image using encore build. When the OPTIONS or preflight request is sent, the Encore app returns 405 Method Not Allowed.

It looks like Encore runtime is forwarding the OPTIONS request to the TypeScript code. After facing this issue, I wrote code to handle OPTIONS requests to return some headers and it confirmed my suspicions.

CC: @eandre @fredr I have posted this observation on Discord as well.

I'm facing the same issue. I am using Encore v1.46.4 and have a TypeScript app.

MatheusMBispo avatar Jun 13 '25 07:06 MatheusMBispo

@MatheusMBispo As mentioned here, you have to add api-gateway to enforce CORS rules.

Anand-Doijode-SCT avatar Jun 13 '25 08:06 Anand-Doijode-SCT