Page not loading properly due to incorrect access-control-allow-origin header

Hi,

I have an issue with the site https://v1.5.vision.

On a number of files, the following header is added:

access-control-allow-origin: http://v1.5.vision

But it is an HTTPS connection, so the files don’t load in the browser.

I will post the links to the files that are problematic in responses, because new users can only post 2 links (which really is too low IMHO).

As you’ll notice, these are all font files. I don’t know if this makes a difference or not.

This appears to be a bug on your servers, but if I’m wrong, please let me know.

Best regards,
Mark Alexander.

https://invicdn.worldcdn.net/731701761/http/108.161.134.12/v1.5.vision//content/themes/startit/assets/css/elegant-icons/fonts/ElegantIcons.woff
https://invicdn.worldcdn.net/731701761/http/108.161.134.12/v1.5.vision/
/content/themes/startit/assets/css/elegant-icons/fonts/ElegantIcons.ttf

Note: There were more URLs, but they’re hidden. They were all ttf/woff/woff2 links, though.

Note: Where it displays vision//content, it should have an underscore between the slahses - like /_/

The response headers I’m getting are:

HTTP/2 404
server: nginx
date: Mon, 24 Jun 2019 19:18:30 GMT
content-type: text/html
vary: Accept-Encoding
x-accelerated-by: InviCDN
x-page-speed: 1.13.35.2-0
cache-control: max-age=0, no-cache
x-cache: MISS
x-storage: 949386585:8001
access-control-allow-origin: http://v1.5.vision
x-edge-ip: 185.59.204.187
x-edge-location: London, GB

That suggests that response comes straight from your server. In this case you’d need to fix this in your server configuration.

1 Like

No, definitely it’s coming from Cloudflare.

Cloudflare uses Nginx.

I’ve actually noticed that some of the URLs have been re-written with the wrong extension, so there might be another reason.

That response did not come from Cloudflare. Cloudflare’s signature is “Cloudflare”. Also, there is not a single Cloudflare specific header included.

The URL was:

https://invicdn.worldcdn.net/731701761/http5/108.161.134.12/v1.5.vision/_/content/themes/startit/assets/css/font-awesome/fonts/fontawesome-webfont.wof

This is the re-written URL that Cloudflare provided.

The headers for curl -I v1.5.vision are:

HTTP/1.1 200 OK
Date: Mon, 24 Jun 2019 19:32:57 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=de99e4569ea3eec7ae8f8822c9f2e77fa1561404777; expires=Tue, 23-Jun-20 19:32:57 GMT; path=/; domain=.5.vision; HttpOnly
Vary: Accept-Encoding
X-Accelerated-By: InviCDN
X-Page-Speed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache
Server: Cloudflare
CF-RAY: 4ec121733e10d6b9-FRA

Cloudflare is definitely handling the domain v1.5.vision.

Cloudflare does not rewrite URLs. Where did you get this idea from?

Yes the .vision domain is handled by Cloudflare, but that domain actually does not send that header. That headers comes from the Worldcdn host, which is unrelated to Cloudflare. That is something you must have configured on your server and that needs to be fixed or adjusted there.

Cloudflare does not rewrite URLs. Where did you get this idea from?

Because that URL doesn’t feature in any of the source code.

If you check the URL http://v1.5.vision - it works as expected.
If you check the URL https://v1.5.vision - there are files that don’t appear.

The URL I got was from Chrome telling me which files were missing.

The URL were definitely rewritten from the original files (which I’ve checked).

Again, Cloudflare does not rewrite URLs and is not affiliated with whomever runs that service. Thats something your server is likely rewriting on-the-fly (if you couldnt find any reference in the source code).

Pause Cloudflare and check if it works at that point on HTTPS. My guess would be it does not.

There are no rewrites on the server.

HTTP works through Cloudflare, HTTPS partially works.

There is no SSL cert on the host server. Am I required to set up HTTPS on the server to get it to work?

Then please explain this.

That request went straight to your server and still contains links to Worldcdn.

And yes, you are required to have HTTPS on your server otherwise your site can never be secure.

I’ll add SSL to the server and try again.

Original source from http[s]://v1.5.vision (one example):

<link rel='stylesheet' id='layerslider-css' href='/_/content/plugins/LayerSlider/static/layerslider/css/layerslider.css?ver=6.7.6' type='text/css' media='all' />

Source from Cloudflare:

<link rel='stylesheet' id='layerslider-css' href='https://invicdn.worldcdn.net/731701761/http/108.161.134.12/v1.5.vision/_/content/plugins/LayerSlider/static/layerslider/css/A.layerslider.css,qver=6.7.6.pagespeed.cf.0VSzOvQdCM.css' type='text/css' media='all'/>

There are loads and loads of URLs that have been re-written.

Cloudflare won’t re-write the main URLs, but presumably they re-write the URLs of cached files.

I obviously know this, but I don’t need it to be secure for now. What I’m interested in is whether or not HTTPS on the host server is required for Cloudflare to work at all.

Well, as evident from my previous screenshot the URL in question is also sent by your server. Again, Cloudflare does not rewrite URLs. At best, it might have a cached version your server sent earlier.

You dont need HTTPS on the server for Cloudflare to work. In this case switch Cloudflare’s SSL mode to “Off” and the HTTPS issue with the HTTP link will disappear too.

I’ve fixed this now.

I don’t know where the URL rewrites were coming from (I checked on the server, and it definitely wasn’t there), but when I activated SSL on the host server using an origin SSL cert from Cloudflare, it worked without problems and indeed the URLs were not re-written this time.

@sandro Thanks for your assistance.

Note: I would have responded earlier, but there are daily limits on how many replies you can post on the first day here. :slight_smile:

1 Like

Yes, links are not being rewritten any longer.

Could it be you have ngx_modspeed configured?