Missing required request header. Must specify one of: origin,x-requested-with

[vasRK]

this url fails when I access it from ajax request.

Here is my code.

var x = new XMLHttpRequest();
x.open('GET', 'https://cors-anywhere.herokuapp.com/http://www.thecapitoltheatre.com/files/2016/01/squirrel1.jpg');
//x.setRequestHeader('x-requested-with', 'XMLHTTPREQUEST'); adding this also won't chang anyting.
//x.setRequestHeader('origin', 'http://localhost); if i do this browser throwing exception.(Refused to set unsafe header "origin",in Google Chrome)
x.responseType = 'blob';
x.onload = function () {..........};
x.onerror = function () {........}

[Rob--W]

The Origin header will automatically be set by the browser for cross-origin requests.

Are you by any chance trying to use CORS Anywhere in a Chrome extension?

[vasRK]

No I'm not using Chrome extension, just prefixing "https://cors-anywhere.herokuapp.com/" to my URL

[Rob--W]

It seems that the URL you're trying to proxy is currently not reachable via cors-anywhere.herokuapp.com

When I locally start a new instance of CORS Anywhere, I do get a response. Maybe the website that you're trying to proxy has blocked all requests from the public CORS Anywhere services.

Note: When you directly visit https://cors-anywhere.herokuapp.com/http://example.com via the browser, you'll see "Missing required request header. Must specify one of: origin,x-requested-with". This is intentional, the Origin header is only set by the browser for cross-origin requests. The purpose of requiring this header is to prevent the use of CORS Anywhere as a generic web proxy, because of security & performance.

[vasRK]

Thanks for help, I'm able to access other URLs using cors-anywhere proxy but not this particular URL.

[sprunge1]

I have a similiar problem, my script works with Chrome but not with internet explorer - with IE 11 I get the
Missing required request header. Must specify one of: origin,x-requested-with
error.
Any Idea?

[Rob--W]

@sprunge1 Example?

[msudol]

I'm running cors anywhere on an internal network, it's working great for various internal servers that do status checks. I'm getting this error solely from my local installed gitlab server. My assumption is that server is rejecting the headers being sent by cors anywhere - here is the error i get in my browser console

XML Parsing Error: syntax error
Location: http://corsanywhere.local:8080/http://gitlab.local/-/liveness
Line Number 1, Column 1:

I'm using the most basic cors anywhere client/server setup, so far i am able to query my router, redmine, jenkins, and a few other sites i'm running. It's only the gitlab server throwing the error, the page is returning JSON.

Cors Anwyhere error when I view source is "Missing required request header. Must specify one of: origin,x-requested-with"

[Rob--W]

@msudol You're likely trying to send a request to http://corsanywhere.local:8000 from http://corsanywhere.local:8000/. This is a same-origin request from the browser's perspective, and therefore the Origin header is not automatically added.

If you want to get the request to succeed anyway, add the X-Requested-With request header.

[yoavgecht]

Ok I don't have any solution for this it's just not redirecting

[MasterOfTheTiger]

I am having the same problem here: https://cors-anywhere.herokuapp.com/labs.bible.org/api/?passage=John+3:16-17

[yoavgecht]

Maybe try this:
cors-anywhere-master/server.js line 26
requireHeader : ['origin', 'x-requested-with']
just empty the array
requireHeader : []
For me its still not working but this is what I can suggest now..

[Rob--W]

The requireHeader is there for a reason. If this header requirement is removed, then the server basically becomes an open proxy, where a user can use the server as a proxy to visit other sites via the browser (e.g. by typing https://cors-anywhere.herokuapp.com/http://example.com/ in the location bar).
I intentionally block this, because then all websites would share the same client-side storage areas. This is bad for security, and also bad for the availability of my public server.

Currently, the only supported ways of using CORS Anywhere is:

• Cross-domain: Just send a request to the server with fetch or XMLHttpRequest. The browser will automatically add the Origin request header.

• Same-origin (if you host CORS Anywhere yourself and share the same origin with your main app, e.g. as done in How to integrate with existing expressjs server #81): Send the request with fetch or XMLHttpRequest, and also set the X-Requested-With request header, for example:

  var x = new XMLHttpRequest();
  x.open('GET', 'https://cors-anywhere.herokuapp.com/https://example.com');
  // I put "XMLHttpRequest" here, but you can use anything you want.
  x.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
  x.onload = function() {
      alert(x.responseText);
  };
  x.send();

If you cannot get the expected responses with the above methods, then one of the following could have happened:

• The URL that you want to proxy is unreachable (e.g. the site is down, or they have blocked access to the CORS Anywhere IP).
• Too many requests have been sent to CORS Anywhere by the given origin within the given time frame (Restrict access of public CORS Anywhere demo #45).
• The URL itself is blacklisted by me (e.g. Investigate abuse and block URLs #32, Application Error #42).
• CORS Anywhere is down (this has happened in the past when the server was flooded with requests, which is why I implemented the blacklist and rate-limiting above).

[sprunge1]

x.setRequestHeader("X-Requested-With", "XMLHttpRequest");
is the solution to most of these issues, as mentioned in Robs answer, also make sure you have the slashes in the url and the proxy correct.

[MasterOfTheTiger]

@yoavgecht the strange thing is the request works in the demo.

[theCrius]

The Origin header will automatically be set by the browser for cross-origin requests.
Are you by any chance trying to use CORS Anywhere in a Chrome extension?

I'm using it from an extension. On firefox it run properly, adding the origin to the request:

Host: cors-anywhere.herokuapp.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
origin: moz-extension://43120783-01d7-46f5-a741-2670677bb0d8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

But on chrome I get something like:

GET /https://path.to.final.url/style.css HTTP/1.1
Host: cors-anywhere.herokuapp.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en,it;q=0.9

I've already "://cors-anywhere.herokuapp.com/" in my manifest.json permissions attribute.

Any idea why?

[Rob--W]

I'm using it from an extension.

If you use it from an extension, then you don't need CORS Anywhere. Just add the host permissions to manifest.json, and then you can access a cross-origin resource without CORS.

[theCrius]

You're absolutely right. In fact just testing yesterday I "accidentally" (read, was trying everything) added cors-anywhere to the permission's attribute of the manifest json, and fetch wasn't sending the origin header anymore as, of course, it was treating is as "same-origin".

The issue for me anyway is that I let the user insert an URL to a CSS file (that could be on github, gitlab, pastebin, whatever else) and I poll it like what stylus does for its styles.

I could probably restrict the urls accepted to only some website to be honest and avoid using cors-anywhere. It's certainly something to consider.

[Tehsurfer]

x.setRequestHeader("X-Requested-With", "XMLHttpRequest");
is the solution to most of these issues, as mentioned in Robs answer, also make sure you have the slashes in the url and the proxy correct.

Thanks @sprunge1. I am able to use this successfully to access https://raw.githubusercontent.com content which was blocking me without it.

[umamahesh51]

var link = "https://www.example.com"; // Some link
var x =new XMLHttpRequest();
x.open('GET','http://cors-anywhere.herokuapp.com/'+link);
x.setRequestHeader('x-requested-with', 'XMLHttpRequest');
x.onload = function(){
console.log(x.responseText);$('#ticket').html(x.response)
};
x.send();
I'm using this in chrome extension, got below error
Not found because of proxy error: Error: getaddrinfo ENOTFOUND (URL)

This is not working for me.

I have tried with Heroku also but no luck.
Can you help me @Rob--W

[zanemcca]

For anyone who stumbled upon this issue while trying to get this working through an img tag here was my solution.

<img
          crossOrigin="anonymous"
          referrerPolicy="origin"
          className={className}
          {...props}
          src={url}
          srcSet={srcset}
 />

Note that it is important for some reason that crossOrigin and referrerPolicy come before the src. No idea why the order of the props matters but this seems to get the job done.

[ralexwong]

@zanemcca Thank you so much. Adding those attributes solved this problem i've been working on for months

[peter-palmer]

x.setRequestHeader("X-Requested-With", "XMLHttpRequest");
is the solution to most of these issues, as mentioned in Robs answer, also make sure you have the slashes in the url and the proxy correct.

what is x?

[Rob--W]

x.setRequestHeader("X-Requested-With", "XMLHttpRequest");
is the solution to most of these issues, as mentioned in Robs answer, also make sure you have the slashes in the url and the proxy correct.

what is x?

See https://github.com/Rob--W/cors-anywhere/issues/39#issuecomment-387690291

[apurvaAndroid]

Hi below is my code to download a pdf in my project there different clients domain and i can not download pdf with different domain.
I am using angular 7 also installed npm install cross-anywhere

using pdfFile = "https://cors-anywhere.herokuapp.com/"+pdfFilePath

this._myapiService.downloadBillAsPdf(pdfFile).subscribe(
res => {

    //res.header('x-requested-with', 'XMLHttpRequest');

    if (window.navigator.msSaveOrOpenBlob) {
      window.navigator.msSaveBlob(res, filename);
    } else {
      var url = window.URL.createObjectURL(res);
      var a = document.createElement("a");
      document.body.appendChild(a);
      a.setAttribute("style", "display: none");
      a.href = url;
      a.download = filename;
      a.click();
      window.URL.revokeObjectURL(url);
      a.remove(); // remove the element
    }
    this.toastr.success("Downloaded Successfully");
  },
  error => {
    this._commonUtility.showErrorToastr(error);
  },
  () => {}
);

public downloadFile(filepath, contentType): Observable {
let headers = new HttpHeaders();
headers = headers.set('Accept', contentType);
//headers = headers.set('X-Requested-With', 'XMLHttpRequest');

return this.externalHttpClient.get(filepath, { headers: headers, responseType: 'blob' as 'json' });

}

i am getting not fond on console and when i hit directly on browser its giving Missing required request header. Must specify one of: origin,x-requested-with

[qwrki]

The Origin header will automatically be set by the browser for cross-origin requests.

Are you by any chance trying to use CORS Anywhere in a Chrome extension?

I have this issue with the chrome extension.

[hogagatech]

Add X-Requested-With to your headers. headers: {
"X-Requested-With": "XMLHttpRequest",
},

This should solve the problem.