CORS issue with image uploading

curl -I -X ‘OPTIONS’

HTTP/2 400

**server** : cloudflare

**date** : Mon, 27 Dec 2021 15:24:40 GMT

**content-type** : text/html

**content-length** : 155

**cf-ray** : -

Can’t use a generated direct upload URL in the browser as it doesn’t work with CORS.

Some more info when called in situ…

Access to fetch at '' from origin 'http://localhost:3000' has been blocked by CORS policy: 
Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

what is the CURL version?

can you run with -vv option?

-I is a head request, so the curl might not send OPTIONS properly

from the curl man:

-X, --request <command>
              (HTTP)  Specifies  a custom request method to use when communicating with the HTTP server.  The specified request method will be used instead of the method otherwise used (which defaults to GET). Read the HTTP 1.1 specification for details and explanations. Common additional HTTP requests include PUT and DELETE,
              but related technologies like WebDAV offers PROPFIND, COPY, MOVE and more.

              Normally you don't need this option. All sorts of GET, HEAD, POST and PUT requests are rather invoked by using dedicated command line options.

              This option only changes the actual word used in the HTTP request, it does not alter the way curl behaves. So for example if you want to make a proper HEAD request, using -X HEAD will not suffice. You need to use the -I, --head option.

              The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl doesn't change request method according to the HTTP 30x response codes - and similar.

              (FTP) Specifies a custom FTP command to use instead of LIST when doing file lists with FTP.

              (POP3) Specifies a custom POP3 command to use instead of LIST or RETR. (Added in 7.26.0)

              (IMAP) Specifies a custom IMAP command to use instead of LIST. (Added in 7.30.0)

              (SMTP) Specifies a custom SMTP command to use instead of HELP or VRFY. (Added in 7.34.0)

              If this option is used several times, the last one will be used.

I do see access-control headers on the preflight request (OPTIONS).

curl -i -X OPTIONS

HTTP/2 200
date: Fri, 31 Dec 2021 14:52:54 GMT
content-length: 0
access-control-allow-origin: *
access-control-allow-methods: POST, OPTIONS
access-control-max-age: 86400
expect-ct: max-age=604800, report-uri=""
server: cloudflare
cf-ray: 6c64559a2b72072e-LHR

This topic was automatically closed after 15 days. New replies are no longer allowed.