Strange behavior with ajax requests (CORS problem)


I have a strange behavior and can’t find any solution despite many many attempts (too many hours) .

So I decide to set up a very simple example on a personal domain (can’t communicate the URLs of my WIP project) !
This domain is behind Cloudflare and the web page simply make 2 POST Ajax calls to 2 differents subdomains.

First one :
Domain behind Cloudflare.

Second one :
Installed on Cloudflare but on “bypass” mode.

Both domains use the same folder (and webpage) on the back office server.

Go to :
F12 + check network requests and console log.

The first AJAX request failed with a CORS error + a 307 redirect.
The second AJAX request is 100% OK with no CORS error + a 200 response code.

CORS policy is OK on the “2 subdomains” (remember same folder/script behind) with a “full access” rule : Access-Control-Allow-Origin: * (look at the headers).

How do I get to work too ?

Note : On my WIP project I use more complexed scripts + the usual OPTIONS request that is OK (code 200) + the POST request with the same behavior (307 redirect + CORS error).

Thank you !


That 307 appears to come straight from the server and show up on the unproxied record as well.



I haven’t any 307 redirect on the unproxied record on my side and I just did the test on another PC at work (first time it connects to the test site). :confused:

Any idea ?

You’d need to check the server. It should say why it sends a 307.

Are you using SSL Flexible?

Nothing in my access logs (no trace of any request on !) and my host just tell me they have some security policies that can interfect with Cloudflare.

I just tested with another subdomain pointing to another server (which I have control over) and everything is working fine with Cloudflare. Sometimes you don’t have to look very far :confused:

Thanks for the advice :slight_smile:

No, I’m in Full mode.

Ajax request showing as xHR or HTML?

Well, as evident from the screenshot the 307 does come from your server. If it doesn’t show up you might have some logging issue.

Or you are possibly looking in the wrong file.

I’m assuming the request just does not reach the server and therefore is not logged. It must be blocked upstream via their security measures (shared server with various protections).

Logs file of is full of requests :wink:

@user3011 : XHR.

Once you found the demo2 307 you probably have found demo1’s as well. Simply remove that redirect.

Sorry, I replied for my WIP project, all is in XHR.
For this demo it’s a plain/text 'cause I don’t return anything. It’s a simple test, nothing else.
I made many attempts, with various content-type, various headers, various settings…

@sandro : I haven’t any 307 in demo2 logs, only 200 (like @user3011 screenshot).

Ehm, you seem to ignore what I just had posted.


In my logs I haven’t any 307, only 200.
In my logs I have nothing from my Ajax calls (only few direct access).
My host told me me, as indicated above, that it was probably because of their security measures… Which I confirm because it works perfectly well with another host (as I said above) :wink:

The subject can therefore be closed, the problem comes from the configuration of the shared server and not from Cloudflare. Which also explains why I haven’t had this issue in years of using Cloudflare.