CORS Headers Missing from CloudFlare Response to My Post Requests

General
1

My app is sending a CORS request and Cloudflare responded with no CORS Header. This is what’s showing in the Chrome’s Developer Console:

Request:

authority: otakhi.com
method: POST
path: /querypublicobjs
scheme: https
accept:*/*
accept-encoding: gzip, deflate, br
accept-language: en-US
content-length: 50
content-type: application/x-www-form-urlencoded; charset=UTF-8
origin: lenovo
referer: lenovo/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) AtomDrive/1.1.3 Chrome/89.0.4389.82 Electron/12.0.1 Safari/537.36

Response:

cf-cache-status:DYNAMIC
cf-ray:66619a1279ad5c23-IAD
cf-request-id:0af0de9f8a00005c230b9f9000000001
content-length:72
content-type:text/plain; charset=utf-8
date:Sun, 27 Jun 2021 20:59:54 GMT
expect-ct:max-age=604800, report-uri="report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
location:www.otakhi.com/querypublicobjs
nel:{"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"\/\/a.nel.cloudflare.com\/report\/v2?s=qMx6J4tsAjBVWgMRwWmt8pWFtc6whgaVOp9kzMBaHJz4aWuMG4pGIqCsXDvLnoeC%2FMEJkSTiL7juNW7rI8s9MBVs4%2B5nUzxbfyKhMaS6CyJ6WRIhSm7n"}],"group":"cf-nel","max_age":604800}
server:cloudflare
vary:Accept
x-powered-by: Express

And I get this error every times:

Access to XMLHttpRequest at 'mydomain/querypublicobjs' from origin 'otherdomain' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

To make sure my origin server did serve CORS headers, I did the same post request at reqbin.com

And the response is:

Date: Sun, 27 Jun 2021 21:01:29 GMT
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
Feature-Policy: xr-spatial-tracking *
Vary: X-HTTP-Method-Override
set-cookie: connect.sid=s%3AQ5sJIpZIeYuKUwXSo2hWtrhd3Jlqtwo7.QN3kOmXaPXNusBOxmChtlTM4mnYxkHiakuNv%2F50RysI; Path=/; HttpOnly
CF-Cache-Status: DYNAMIC
cf-request-id: 0af0e00f36000017bd902a3000000001
Expect-CT: max-age=604800, report-uri="report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=6mlUIGXcXxlfRmJs6XHCiYdIxvM4lQi%2BAtQmsxaacuj0lTgP1wW7Rzs23M%2BXupl%2FFv7nBlTv%2B8d0H4T5%2FtPKxlg7zaXc%2BFwmfH4%2F6h74UMr60eiA2rkLoruYww%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 66619c5ebef117bd-EWR

Using page rule to Cache Bypass has no effect. Same Error.

What could be the problem?

It used to work, have you changed something?

thank you,

Steve

2

See this line in the response to the POST request.

You are redirecting the root (no subdomain) to the www subdomain, likely via a Cloudflare page rule. You either need to point your client at the www (that ‘authority’ property in the request) or remove the page rule redirect and serve the root as well.

3

My origin server use this Redirect: https://domain.com to https://www.domain.com. And it is indeed the culprit. Thank you.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.