CORS/Origin issues
Any HTTP request through Cloudflare is missing its Origin header.
Plus, when setting the according CORS and Access Control Allow Origin response headers in my backend, they don't reach the end client and any file requests get blocked.........
12 Replies
Access to XMLHttpRequest at 'https://cdn.idle.cool/videos/chinchilla/chinchilla.m3u8' from origin 'https://chinchilla.idle.cool' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
cors looks like it's breaking because you have something (like I am under attack mode) on and challenging all requests, solving the challenge for chinchilla subdomain doesn't solve the challenge for cdn, so the request is blocked
Origin headers should also be untouched
can i set an exclusion for the cdn subdomain that doesn't challenge requests that have already been verified?
and is UAM the reason that the "Origin" header of incoming requests is removed?
UAM challenging the requests would stop the request from making it to the origin entirely until the challenge is solved, I don't think there's any way around it for this use case other then just disabling it/disabling it for the cdn subdomain. Afaik only Enterprise Bot Management has something like that with JS Detections
very unfortunate. thank you though
@Chaika apologies for the ping, however the issue of the missing origin header still hasn't resolved itself. half of the sites on my subdomains are non functional because my backend can't set the appropriate
access-control-allow-origin headersIn the
https://chinchilla.idle.cool/ example you linked above, the https://cdn.idle.cool/videos/chinchilla/chinchilla.m3u8 resource is returning Access-Control-Allow-Origin: https://cdn.idle.cool, but it needs to be https://chinchilla.idle.cool instead since that's the origin requesting it. Right now it's basically just saying it can access itself, which isn't too useful because it always can
MDN has a good guide on cors: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
It gets more complex for things other then simple resources/including headers/etci am currently manually setting the access control allow origin header
as i said before
since the real origin header key is missing
and yes in this case i can only set it to the original subdomain since i can't predict where the request originates from
You could check over your Modify Request Header (Cf Dashboard, under your website: Rules -> Transform Rules -> Modify Request Header) to see if you have anything that could be removing it. You could also just implement your CORS setting stuff there if you wanted (using Modify Response Header)
i have zero transform rules or managed transforms deployed/enabled
I'm not aware of any other situation where Cloudflare would remove the Origin header, unless with either with a CF Worker you set up or cached resources, but looks like you have no caching configured. Make sure you're not trying to use the Referrar header, not all browsers send those. I tested on my own origin for a sanity test and the origin header is preserved.
Like I said as well, you could also use Transform Rules Modify Response Headers, something like Edit Expression =>
http.request.headers["origin"][0] == "https://allowed-origin.com" or http.request.headers["origin"][0] == "https://allowed-origin-2.com"
Then.. Modify Response Header:
Set Dynamic Access-Control-Allow-Origin http.request.headers["origin"][0]
Might be easier then debugging why your origin isn't properly recieving them, just an idea thoughHi, unsure if this is the same issue but I'm getting this error in my console:
Access to audio at 'https://songs.songbyrd.world/65c85152-81a5-43a4-9fd1-db476ce97b6a.mpeg' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
songs.songbyrd.world/65c85152-81a5-43a4-9fd1-db476ce97b6a.mpeg:1 GET https://songs.songbyrd.world/65c85152-81a5-43a4-9fd1-db476ce97b6a.mpeg net::ERR_FAILED
My CORS policy on the bucket is like this:
[
{
"AllowedOrigins": [
"http://localhost:3000"
],
"AllowedMethods": [
"GET",
"PUT"
],
"AllowedHeaders": [
"Content-Type"
]
}
]
Can anyone point me in the right direction?