CORS policy problem


i’m getting this error ( changed url for privacy): Access to XMLHttpRequest at ‘’ from origin ‘’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

this vsvl domain, goes through cloudflare and goes to a AWS S3 bucket, is this cors problem at CF or S3 bucket? adn how can I fix it?

You need to add an appropriate CORS policy on your s3 bucket. You could do it in a Cloudflare Worker, but much easier and cheaper on your Origin.

any clue what to add, got this already on the s3 bucket, i added the google rule and that didnt fix it


Getting out of scope for this forum, but can you give a redacted version of the request and response headers you are seeing in your browser, as well as the error message? I picked a random asset URL from your domain, and I get CORS headers in the response. You might need to purge the asset you are having issues with if you changed the CORS policy on S3. You might also need an ExposeHeader policy if your XMLHTTPRequest is trying to access response headers.

% curl --dump-header - -o /dev/null -s -H "Origin:" 2&>1 |  grep -i Access
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
vary: Accept-Encoding,Origin,Access-Control-Request-Headers,Access-Control-Request-Method

For whoever finds this later, the issue is that Access-Control-Allow-Origin: * does not work in conjunction with XMLHttpRequest withCredentials. You need to set the value of Access-Control-Allow-Origin in the response to be the same value as the Origin request header. Check the specification for details.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.