Unwanted Access-Control-Allow-Origin: * added on Cloudflare Pages

gusta · June 4, 2022, 7:53am

I’m getting started with Cloudflare Pages to host simple static files.

I created a Pages project and deployed a single .txt file and a _headers file to it.

The content of the _headers file is as follows

/*.txt
  Content-Type: text/plain

/*
  X-Robots-Tag: noindex

The .txt file is served as expected, with both HTTP headers from the _headers file sent with it. However Pages is also sending an Access-Control-Allow-Origin: * header with every response.

As I understand from the Pages docs, one’d have to explicitly set said header in the _headers file for it to appear in the reponse:

To enable other domains to fetch every asset from your Pages project, the following can be added to the _headers:
_headers
/*
 Access-Control-Allow-Origin: *
This applies the Access-Control-Allow-Origin header to any incoming URL.

Headers · Cloudflare Pages docs

Is this a bug? Is there a way to remove the Access-Control-Allow-Origin header from the responses?

Thank you!

WalshyMVP · June 4, 2022, 7:54am

You can remove it with the _headers file like so:

/*
  ! Access-Control-Allow-Origin

gusta · June 6, 2022, 5:01pm

Hey! Sorry for the delay (topic was hidden temporarily) and thank you for the response.

I tried as you suggested but I didn’t work, it seems it broke the _headers file, as it continued to send the Access-Control-Allow-Origin header and stopped sending the other headers. Maybe I did something wrong in the process

What I done for now was create a Transform Rule on the dashboard to remove the header, but ideally the header shouldn’t be sent at all.

Walshy · June 6, 2022, 5:02pm

Hey,

If you can send your _headers I can take a look at what may have gone wrong.

gusta · June 6, 2022, 5:28pm

It seems it had stopped working altogether because I had put it in the wrong folder. I’m using direct uploads and the ZIP structure was as follows

file.zip
├─ _headers
└─ public/
   └─ ...

I tried now with all files at the zip root and the headers were sent again. Including the Access-Control-Allow-Origin header.

The _headers file is as follows:

/*.txt
  Content-Type: text/plain

/*
  Strict-Transport-Security: max-age=31536000
  X-Robots-Tag: noindex
  X-Frame-Options: SAMEORIGIN
  ! Access-Control-Allow-Origin

gusta · June 10, 2022, 5:13am

I don’t know if I did something wrong while trying to remove the Access-Control-Allow-Origin header or if Cloudflare changed something in their end since this topic, but it seems prepending the header directive with ! to remove a header is now working as intended.

I also noticed there’s now a “Detach a header” section in the docs.

system · June 13, 2022, 5:13am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.