--cors not working

[ralyodio]

XMLHttpRequest cannot load http://127.0.0.1:8081/feeds.json. Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

$ http-server --cors
Starting up http-server, serving ./
Available on:
  http://127.0.0.1:8081
  http://192.168.1.3:8081

Here are the headers:

Response Headers
access-control-allow-headers:Origin, X-Requested-With, Content-Type, Accept, Range
access-control-allow-origin:*
Connection:keep-alive
Date:Sun, 03 Sep 2017 07:51:28 GMT

Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:authorization
Access-Control-Request-Method:GET

This is the OPTIONS request in chrome that is failing.

[jasonxia23]

--cors works fine for me.
Check your request headers whether there are headers not in Origin, X-Requested-With, Content-Type, Accept, Range

[ralyodio]

I had to pass --cors=Authorization

[TeodorKolev]

--cors option do nothing for me. I have tried http-server --cors and http-server --cors='*'
No success

[ansermino]

I believe I am having the same issue. Passing --cors the cross-origin request still fails

[exit99]

Same problem here.

[BigBlueHat]

@TeodorKolev @ansermino @Kazanz are you all simply using --cors (without a value or with '*' in @TeodorKolev's case)?

The test for this feature is here:
https://github.com/indexzero/http-server/blob/413fe72f8da11c7c5746d16e4a7876450f2d9d8c/test/http-server-test.js#L128-L156

Please extend it to test your scenario/usage expectation and lets see what we can figure out! 😃

[exit99]

@BigBlueHat After fiddling around turns out CORS was working in Firefox but not in chrome, because of the capitalization of the header.

[PhilTheAir]

This one works for me: http-server {folder} --cors=http://localhost:3000/

[BigBlueHat]

@BigBlueHat After fiddling around turns out CORS was working in Firefox but not in chrome, because of the capitalization of the header.

Capitalization of the CORS Access-* headers? or of the header passed in via --cors=? HTTP headers are not case sensitive, so it would surprise me if Chrome were failing for that reason.

We'll need to narrow down the scenario and test it before we change the code for this feature. Thanks!

[BigBlueHat]

This one works for me: http-server {folder} --cors=http://localhost:3000/

@PhilTheAir the --cors takes a list of HTTP Headers. It's currently not possible to narrow the Access-Control-Allow-Origin header to something less than *. If you need that, please file another issue for it--as it's likely useful to others! See https://github.com/indexzero/http-server/blob/master/lib/http-server.js#L69-L79 for codez.

[danieladams456]

This is potentially unrelated to some of the more specific comments, but in general if you're only testing in browser, the default caching of one hour can cause the non-cors response to be cached and fail to get the new cors response.

[J-Rojas]

I'm having a problem with reading headers within an XHR request in Chrome. 'Access-Control-Expose-Headers' needs to be supported as well.

mozilla/pdf.js#3150 (comment)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers

[Mathes2665]

I had the same problem. I solved it by installing cors global npm install cors -g.

[bhagwantg]

--cors without value works, probably browser cache issue, hit ctrl + f5

[yinleiCoder]

It may be the cause of browser caching.
I solved the reason why cros did not work, and forced to refresh the browser by ctrl+F5

[ryanbuckleyca]

same issue here. tried npx http-server --cors='*', --cors, --cors=Authorization, tried hard-refreshing the browser and clearing the cache, tried in multiple browsers...still getting the following issue.

Access to fetch at 'http://www.theurliwanttofetch.com' from origin 'http://127.0.0.1:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[malibio]

I'm on the same scenario here...what ended up working for you, @ryanbuckleyca ?

same issue here. tried npx http-server --cors='*', --cors, --cors=Authorization, tried hard-refreshing the browser and clearing the cache, tried in multiple browsers...still getting the following issue.

Access to fetch at 'http://www.theurliwanttofetch.com' from origin 'http://127.0.0.1:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[akshayr-tavisca]

Hello, facing similar cors issue, when trying to load some external file within the application,
hs . --cors -p 8080 any updates on above issue, it works in few cases and fails in few and I am not sure why.

[LetrixZ]

--cors works for me but Ctrl+F5 nor clearing site's data fixes the cache issue. Only on incognito or in another browser.

[thornjad]

Is anyone having trouble with this on v13 and cache resetting does not fix the problem?

[abitgen]

--cors works! Just restarted the node http-server process. Using node v14.15.0 & http-server 13.0.0

[thornjad]

🎉 I'll close this as fixed in v13 then, please reopen if it appears broken again and resetting cache does not fix it

[mochaisthere]

so uh yea it stopped working again. I did everything I could but it just does not work

[thornjad]

@BeyYT what is everything you did and tried?

[yuchinchenTW]

I tried http-server --cors=* -p8110 -c-1 but the browser shows" has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."

[mochaisthere]

@BeyYT what is everything you did and tried?

Every option, CORS header, even * and it still doesn’t work.

[abitgen]

@BeyYT a sample repo link, with the http-server version you are using, might help.

[benjamin-thomas]

Just a heads up for any future googlers...

Make sure you open dev tools, go to the network tab, select disable cache, then refresh.

Control F5 did not do the trick for me.

[mochaisthere]

@BeyYT a sample repo link, with the http-server version you are using, might help.

the sample repo has been on my github for a long time now. aswell the http-server version is the latest version there is.