Chrome Access-Control-Allow-Origin header issue

[nickian]

I noticed that when I load the tracking script on a web site, I get this error in the console in Chrome and the anonymous contact doesn't appear to get logged in Mautic.

XMLHttpRequest cannot load https://mautic.mydomain.com/mtc. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://mydomain.com' is therefore not allowed access.

Is this a server configuration issue or a Mautic issue? The only alternative I can think of is to use the old image tracking pixel instead.

Thanks.

[nickian]

Nevermind! This is a configuration error on my part.

For anyone else wondering, you have to make sure to have "restrict domains" turned off or have valid URLs defined in Mautic's configuration page under "CORS Settings."

[jasaronson]

Thank you nickian! This was driving me crazy!

[eknimation]

Thank you nickian.

[jdecampos]

thank :)

[preetssekhon]

I am also getting something similar error, i have already turned off in Mautic's configuration page under CORS Settings. but still getting below error.

Access to XMLHttpRequest at 'https://mautic.onsitesoftware.com/mtc/event' from origin 'https://mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://mydomain.com, *', but only one is allowed.

[nickian]

I'm not sure what else the problem could be. Maybe it is something with your server config. I would try what this article says: https://poanchen.github.io/blog/2016/11/20/how-to-enable-cross-origin-resource-sharing-on-an-apache-server

[evgu]

@preetssekhon I think 'Access-Control-Allow-Origin' can have only ONE value - i.e. try with either '*' or 'https://mydomain.com'. This will be in your server configuration for Access-Control-Allow-Origin.

[Thurgood78]

There are no "CORS Settings" in the latest Mautic version anymore. I guess this has become the "API Credentials"... somehow this does not work for me and I still get this CORS headers warning in Firefox (latest). In Mautic's root .htaccess file I entered the following code:

<IfModule mod_headers.c> Header set Access-Control-Allow-Credentials: true Header set Access-Control-Allow-Origin 'https://www.my-domain.com' </IfModule>
I also tried ".my-domain.com/" to cover access from all of my domains variants (-> http(s) and www. or no-www and subdirectories), but this does not to work, or I used the wrong syntax. Anyone knows correct apache syntax?

I'm closed to a solution... the error of "missing CORS header" turned into

(Reason: missing token ‘x-requested-with’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).

Anyone can help with the command "x-requested-with"? Which token do I have to use?
Thanks guys.

[Thurgood78]

SOLUTION FOUND:
Anyone with the same problem, add this code to your Mautic's root .htaccess file:

<IfModule mod_headers.c> Header set Access-Control-Allow-Credentials: true Header set Access-Control-Allow-Origin: "https://www.your-domain-name.com" Header set Access-Control-Allow-Methods: "GET, POST, PATCH, PUT, OPTIONS" Header set Access-Control-Allow-Headers: “Origin, Content-Type, X-Auth-Token, X-Requested-With” </IfModule>

Still I'm wondering how to wildcard specific variants of my domain to not have to note every single URI ...

[ceefour]

There are no "CORS Settings" in the latest Mautic version anymore.

@Thurgood78 I'm not sure what version you are using, I'm using 3.1.1 and it exists:

See more: https://about.lovia.life/docs/infrastructure/mautic-engineering/