NGINX - Access-Control-Allow-Origin not present even though it is set

Question

Every time I try to set the Access Control Allow Origin method it always returns;

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access. The response had HTTP status code 405.

It reads every other header set as I removed them one by one to check this and the related error occurs whenI do. The Only one that isn't read is the one in question.

Here is my config;

location / {
   add_header 'Access-Control-Allow-Credentials', 'true';
   add_header 'Access-Control-Allow-Origin' 'http://example.com';
   add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
   add_header 'Access-Control-Expose-Headers' 'Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With, X-CSRF-TOKEN, X-MODE';
   add_header 'Access-Control-Allow-Headers' 'X-CSRF-TOKEN';

   try_files $uri $uri/ /index.php?$query_string;
}

specs: Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-98-generic x86_64)

If anyone can see what I'm doing wrong please share!

Regards

Try adding `always` ad the of these. `add_header 'Access-Control-Allow-Origin' 'http://example.com' always;`. I think issue may be that when you do proxy_pass to FPM, the response won't have those headers. Also move these out of the `location /` have them in the server block directly. See if that helps — Tarun Lalwani, Nov 07 '17 at 13:42
I've got them identical in both location blocks just to make sure :-( — Luke Snowden, Nov 07 '17 at 13:47
See if this helps https://stackoverflow.com/questions/45986631/how-to-enable-cors-in-nginx-proxy-server/45994114#45994114 — Tarun Lalwani, Nov 07 '17 at 13:52
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/158424/discussion-between-tarun-lalwani-and-luke-snowden). — Tarun Lalwani, Nov 07 '17 at 14:13
Your first `add_header` contains a syntax error - are you sure that `nginx` is actually restarting? — Richard Smith, Nov 07 '17 at 15:31

score 0 · Answer 1 · answered Nov 07 '17 at 17:00

This is the only way I could get It to work;

Laravel's config/app.php

return [

/*
 |--------------------------------------------------------------------------
 | CORS
 |--------------------------------------------------------------------------
 |
 */
'allow_credentials'      => env( 'CORS_ALLOWE_CREDENTIALS', 'true' ),
'allowed_origins'        => env( 'CORS_ALLOWED_ORIGINS', '*' ),
'allowed_headers'        => env( 'CORS_ALLOWED_HEADERS', '*' ),
'allowed_methods'        => env( 'CORS_ALLOWED_METHODS', 'GET, POST, OPTIONS' ),
'exposed_headers'        => env( 'CORS_EXPOSED_METHODS', '' ),
'max_age'                => env( 'CORS_MAX_AGE', 0 )

];

Laravel's public/index.php

/*
|--------------------------------------------------------------------------
| Run The Application
|--------------------------------------------------------------------------
|
| Once we have the application, we can handle the incoming request
| through the kernel, and send the associated response back to
| the client's browser allowing them to enjoy the creative
| and wonderful application we have prepared for them.
|
*/

$kernel = $app->make('Illuminate\Contracts\Http\Kernel');

$response = $kernel->handle(
    $request = Illuminate\Http\Request::capture()
);

header("Access-Control-Allow-Origin: " . config( 'cors.allowed_origins' ) );
header("Access-Control-Allow-Headers: " . config( 'cors.allowed_headers' ) );
header("Access-Control-Allow-Methods: " . config( 'cors.allowed_methods' ) );
header("Access-Control-Max-Age: " . config( 'cors.max_age' ) );
header("Access-Control-Allow-Credentials: " . config( 'cors.allow_credentials' ) );

$response->send();

$kernel->terminate($request, $response);

NGINX - Access-Control-Allow-Origin not present even though it is set

1 Answers1