Locked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Hello

We have deployed a golang-app with the following cors config. the allowed origins are the ones specified as FRONTEND_ORIGIN_URL and BACKEND_ORIGIN_URL inside the fly.toml file.

app.Use(cors.New(cors.Config{
		AllowOrigins:     loadAllowedOrigins(), // "http://localhost:8080, https://xyz.pages.dev"
		AllowHeaders:     "Origin, Content-Type, Accept",
        AllowCredentials: true,
}))

with the following fly.toml:

app = "xyz-app"
primary_region = "cdg"

[build]
  builder = "paketobuildpacks/builder:base"
  buildpacks = ["gcr.io/paketo-buildpacks/go"]

[env]
  PORT = "8080"
  FRONTEND_ORIGIN_URL="https://xyz.pages.dev"
  BACKEND_ORIGIN_URL="http://localhost:8080"

[http_service]
  internal_port = 8080
  force_https = false
  auto_stop_machines = true
  auto_start_machines = true

[checks]
  [checks.alive]
    path = "/health"
    type = "tcp"
    interval = "15s"
    timeout = "2s"
    grace_period = "5s"

If I try to send a POST-request to our app, I get the following error message.

Access to fetch at 'https://xyz.fly.dev/api/create' from origin 'https://xyz.pages.dev' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

What might be the problem in my configuration?

Thanks in advance

You specify
FRONTEND_ORIGIN_URL=“https://xyz.pages.dev

But your request origin is xyz.fly.dev, not xyz.pages.dev

If that is not the issue, please check the headers:

For CORS checks, a browser performs a preflight request: an OPTIONS request tot the url you post to. Can you check if the right cors headers show when you do an OPTIONS https://xyz.fly.dev/api/create?

thank you for your reply.

In the meantime, the problem was found. It was due to a fatal (golang), which caused a websocket connection to interrupt, resulting in not responding with the expected header.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.