1

Since Chrome 85, this error occurs when my front (localhost:8080) send a request to my back (localhost:3000, node app) : 'has been blocked by CORS policy: Cannot parse Access-Control-Allow-Headers response header field in preflight response'

And after playing with my CORS policy in my back, it reveals that when I remove headers with a '/' or a '=', everything works well.

Exemple :

// does not work
res.header(
  'Access-Control-Allow-Headers',
  'Content-Type, Authorization, Content-Length, application/json, charset=utf-8, X-Requested-With'
)

// works well
res.header(
  'Access-Control-Allow-Headers',
  'Content-Type, Authorization, Content-Lengths, X-Requested-With'
)

And I do not understand the why.

NB : I read https://www.chromium.org/Home/chromium-security/extension-content-script-fetches, I guess it has something to do with my issue but I still could not manage to fix it.

Maxime Surmont
  • 89
  • 4
  • **DO NOT post images of code, data, error messages, etc.** - copy or type the text into the question. [ask] – Rob Sep 07 '20 at 13:49
  • You are right, thanks – Maxime Surmont Sep 07 '20 at 14:12
  • `application/json` and `charset=utf-8` aren’t valid header names. The Access-Control-Allow-Headers contents must be only header names. It can’t include header values (unless those header values happen to also be valid header names). There’s no effect that putting `application/json` and `charset=utf-8` into the Access-Control-Allow-Header would ever have had to begin with — even in browsers which accept those in the value. That’s because the Access-Control-Allow-Header contents are matched against actual request header names. And those aren’t request header names, so they’ll never match. – sideshowbarker Sep 07 '20 at 15:55
  • this may help https://stackoverflow.com/a/63987582/10507393 I don't have enough reputation to comment – Stef Sep 21 '20 at 07:09

0 Answers0