laravel-cors icon indicating copy to clipboard operation
laravel-cors copied to clipboard

Published 20 hours ago verified publisher icon fruitcake

CORS Not working

Open AliZaibazr opened this issue 3 years ago • 10 comments

getting error: ww.example.com has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

AliZaibazr avatar Mar 24 '21 11:03 AliZaibazr

At last, after the effort of 3 days, I have removed the fruitcake package and using my own middleware.

AliZaibazr avatar Mar 25 '21 09:03 AliZaibazr

images

meeran-seers avatar Mar 25 '21 09:03 meeran-seers

Same here, in my dev env suddenly something happened and now cors warning is firing all the time. Just cant fix it now ....

MihailProcudin avatar Mar 27 '21 17:03 MihailProcudin

It was just an error in the Model, not related to cors, sorted now.

MihailProcudin avatar Mar 29 '21 07:03 MihailProcudin

Also struggled for the whole weekend. Added custom middleware and it works now.

sanushen avatar Apr 05 '21 11:04 sanushen

Stack: nginx laravel 8

I have no idea if this will help or why it's behaving like this, but for some reason if I send an options request (aka a preflight request) to my root domain path like api.example.com/ I get a 405 Not Allowed from nginx with generic headers that do not contain the Access-Control-Allow headers needed by the browser, even if api.example.com/ is a valid path in my routes/api.php file.

The browser seems not to care about the 405 but the fact that the 405 response has no allow headers at all and will console.log() the annoying message Request header (something-something) is not allowed by Access-Control-Allow-Headers in preflight response.

Capture1

But

if I send a request to any path that is not root e.g api.example.com/123123123123 EVEN if the path does not exist in routes/api.php the preflight response works and responds with the headers needed by the browser for cors.

Capture2

Bonus Note

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Capture3

Ghustavh97 avatar Apr 30 '21 15:04 Ghustavh97

Same thing, I removed the fruitcake cors and using my own middleware.

    public function handle(Request $request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Headers', '*');
    }

kenny-lee-1992 avatar Sep 12 '21 03:09 kenny-lee-1992

Same thing, I removed the fruitcake cors and using my own middleware.

    public function handle(Request $request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Headers', '*');
    }

This did it for me. For whatever reason, using the CORS package didn't work on any routes, even if they were explicitly specified. I don't believe that this solution covers preflight requests appropriately, but it handles most cases.

romansorin avatar Nov 07 '21 21:11 romansorin

I had same issues and spent hours of debugging but at last I just run php artisan config:cache and copied the bootstrap/config files to server.

Do not forgot to change your ENV to production settings such as db, keys and etc before running config:cache

Please note that I had this issue when the app is on server. Everything works perfectly in local development.

wsajjadh avatar Jun 02 '22 15:06 wsajjadh

Same issue here. The preflight simply does not seem to work for most situations. Nothing I tried would send the headers except adding them in middleware or to the route file manually. There should just be an option to disable preflight and always add the headers - since that is what most of us running into this issue are doing.

cc: @barryvdh

fylzero avatar Sep 23 '22 15:09 fylzero