cors icon indicating copy to clipboard operation
cors copied to clipboard

Published 20 hours ago verified publisher icon rs

Missing origin error

Open DogAndHerDude opened this issue 5 years ago • 16 comments

Guys, please, I'm all out of ideas. Nothing is working.

The basic issue is the fact that requests get denied because it says that Access-Control-Allow-Origin header is missing. Problem is that everything worked fine until it didn't for whatever reason. Some requests make it through, some just get ignored.

Here's my configuration to start with:

	corsHandler := cors.New(cors.Options{
		AllowCredentials: true,
		AllowOriginFunc:  func(origin string) bool { return true },
		AllowedMethods:   []string{"GET", "POST", "PUT", "HEAD", "OPTIONS"},
		AllowedHeaders:   AllowedHeaders,
		Debug:            true,
	})

Whenever we receive a request in production, I get the following error: [cors] 2020/03/02 11:55:06 Actual request no headers added: missing origin

If I log the origin in the AllowOriginFunc function, the origin is present.

The request itself is a basic GET method request using JS fetch:

await fetch(new Request('<my url>', {
  method: 'GET',
  headers: {
   Accept: 'application/json',
  },
}))

DogAndHerDude avatar Mar 02 '20 12:03 DogAndHerDude

Have you tried with AllowedHeaders: []string{"*"}?

tarasyarema avatar Mar 19 '20 13:03 tarasyarema

I have the same problem.

mrsoftware avatar Jun 03 '20 00:06 mrsoftware

😢

giancarlosisasi avatar Jan 15 '21 03:01 giancarlosisasi

Same here

pierrebiver avatar Feb 07 '21 14:02 pierrebiver

~~Same here. In my case specifically, I have a Swagger-UI hosted on the same domain as my API. When it requests an endpoint, it gives me the message 'Failed to fetch'. In debug, I see that 'there is no origin header provided'. What's most intriguing is that, if I execute the exact curl that is shown in the swagger-ui - supposedly the same Curl they're performing - I get an answer. So I know it's a CORS Problem, I've added CORS middleware, I've tested it locally with a fake origin header, but, in production, it fails. I don't know what to do anymore. Already checked the order in which I'm adding the middlewares and Cors is the first one.~~

Edit:

I was trying to call HTTP in production instead of HTTPS. So it had nothing to do with cors, it was failing because Heroku (where the app is hosted) wouldn't allow HTTP calls. Sorry to comment on here.

phramos07 avatar Feb 23 '21 01:02 phramos07

I'm running out of ideas as well after +6h...

felipecruz91 avatar Feb 25 '21 20:02 felipecruz91

My problem was with proxy plugins, i was using proxy plugin in my browser, and that plugin was removing all headers about CORS, i disable it and now it's working.

mrsoftware avatar Feb 27 '21 22:02 mrsoftware

Having basically the same issue, just trying to send a simple fetch API call with an Authorization header. API call works fine before adding that header. The same log line is showing up Actual request no headers added: missing origin. "Origin" and "Authorization" are in my list of allowed headers.

devinmatte avatar Apr 06 '21 21:04 devinmatte

CORS need set origin header. Having origin is a precondition of rs/cors. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

gin.Use(func(ctx *gin.Context) {ctx.Request.Header.Set("Origin", "*") }, cors.New(cors.Default())

fangker avatar Jan 12 '22 06:01 fangker

Set the cors.Options Debug to false.

syukronhidayat avatar Jun 04 '22 19:06 syukronhidayat

Set the cors.Options Debug to false.

This worked for me. Thanks @hidayats10!

mohdrasbi avatar Jun 13 '22 12:06 mohdrasbi

same issue i face

zee7153 avatar Oct 03 '22 11:10 zee7153

Set the cors.Options Debug to false.

Doesn't that just keep the error message from appearing in the output? (i.e. it does not resolve the underlying problem)

pierow2k avatar Jan 16 '23 16:01 pierow2k

does anyone solve this ?

TRSeculan avatar Dec 20 '23 03:12 TRSeculan

Set the cors.Options Debug to false.

Doesn't that just keep the error message from appearing in the output? (i.e. it does not resolve the underlying problem)

Strangely enough I started getting response data after setting the Debug option to false so that's that.

NekoFluff avatar Dec 23 '23 20:12 NekoFluff

I'm not blaming anybody, but there seems to be much confusion in this issue. The lack of a minimal reproducible example doesn't help. Here is my two cents.

As of v1.10.1 (at least), the following message

Actual request no headers added: missing origin

is logged only if

  1. the Debug option is set, and
  2. the request lacks an Origin header, which, according to the Fetch standard, only occurs if the request is same-origin.

If the request is same-origin, it doesn't participate in the CORS protocol and the absence of an Access-Control-Allow-Origin header in the response shouldn't cause a CORS error in the browser.

The log message above does not indicate whether your CORS middleware is well or badly configured. Whatever dysfunctional CORS configuration you're trying to troubleshoot doesn't stem from the value of the Debug option.

@NekoFluff

Strangely enough I started getting response data after setting the Debug option to false so that's that.

I'd be very curious to see a minimal reproducible example (perhaps in the form of one or two tests cases; see cors_test.go).

jub0bs avatar Dec 30 '23 22:12 jub0bs