OPTIONS preflight request is not passed to the server

I am working on a service that is consumed through AJAX from another domain.
I have domainA (the main domain where the service is hosted) and domainB which is A record pointing to a domainA.

The AJAX calls are working fine on domainA. Obviously no CORS headers are required.
On domainB the AJAX is failing because OPTIONS (Preflight) requests are not responding with the appropriate headers. I added the headers and the allowed origin domain but I found out that the request is not even reaching the server. I added logs for all incoming requests and none of them is OPTIONS.

I am not sure why the request is not proxied to the server.
I’d appreciate any directions.

I assume it is the same issue as these


I’ve seen this topic. I don’t require authentication for these AJAX calls. They are public and cookies are not required.

Under Attack mode is disable too.

You probably still run into a Cloudflare challenge though. Can you post the URLs in question?

The domain A is https://app.tixter.io/e/nR
The domain B is https://tickets.thesiyum.org/

You can try with a ticker of $36.00 (this is important) and a group code: DY-11219-1001A

I added a log of jQuery’s beforeSend function and this is what I see in the console when I submit the request:

How are these two domains connected? Which steps do I need to perform?

The request from https://tickets.thesiyum.org/ should be send to https://app.tixter.io/e/5/groupCheckout and it is but the OPTIONS request is not reaching the main server https://app.tixter.io

Steps:
Go to https://tickets.thesiyum.org/
Scroll down and select 1 ticket (the one with price of $36) and fill the group code: DY-11219-1001A
Submit the form and watch the console log.

The request gets sent, however the browser rejects the request with the following message

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://app.tixter.io/e/5/groupCheckout. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

I’d say you’d need to configure app.tixter.io with the appropriate Access-Control-Allow-Origin header.

As I mentioned above I already have the headers set

Access-Control-Allow-Origin: https://tickets.thesiyum.org (now it is *)
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, Content-Type, X-Auth-Token, Origin, Accept
Access-Control-Allow-Credentials: true

The issue is that the browser never reaches app.tixter.io server for OPTIONS request in order to receive these headers.

Well, for me the request does reach the server but is then seemingly rejected because of the missing header

image

I made some changes in the response. Can you please try again?

I’m checking the logs and I don’t have any OPTIONS requests received.

Still the same I am afraid.

Also, that topic is slightly beyond the scope of the forum here. The issue is not really Cloudflare related and the domain in question is not on Cloudflare.

Its probably better to take that to StackExchange and alike.

Both domains are in CloudFlare and the fact that I don’t see the OPTIONS request in the logs makes me thing it is not reaching the server.

Bad wording, the domain is not going through Cloudflare I meant.

Both domains are using CloudFlare DNS

But they are not going through Cloudflare and thats the only point where Cloudflare could theoretically have some influence.

These requests hit your server directly and so there is either an issue with your JavaScript code or your server configuration. I cant tell you why you dont get the requests on your server, but as evident from your own screenshot as well as mine, the browsers do seem to send them and do seem to receive a response, which however is dismissed because of the missing header.

Using PostMan, I could successfully POST to my CF testing endpoint and I saw all the right CORS-required headers, but I was getting the exact same browser errors in Chrome 75.

I solved my problem by implementing the solution from the out-of-date documentation here: https://developers.cloudflare.com/workers/recipes/cors-preflight-requests/

This was similarly discussed on another CF Community post: Handling preflight requests

It appears that OPTIONS requests need to be specifically handled and that there are different responses required for variations even within OPTIONS requests…

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.