Home > OS >  Firefox: CORS Missing Allow Header
Firefox: CORS Missing Allow Header

Time:10-08

My firefox is issuing an OPTIONS preflight request to my private backend to make a subsequent GET request with credentials.

The preflight request includes the headers

Origin http://localhost:9670
Access-Control-Request-Headers authorization
Access-Control-Request-Method GET

My server responds with

Access-Control-Allow-Credentials true
Access-Control-Allow-Origin http://localhost:9670
Vary: Origin

According to the docs I found that should be fine.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

Anyway, my firefox still states

CORS Missing Allow Header

in the Transferred section of the Network tab in the Developer Console.

What is my server response missing?

CodePudding user response:

In addition to

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:9670
Vary: Origin

the response to the preflight request must also contain

Access-Control-Allow-Methods: GET
Access-Control-Allow-Headers: Authorization

Otherwise, the access control check will fail and your browser won't send the actual (preflighted) request. See

Are you implementing CORS from scratch in the backend? If so, why not use a (good) CORS library, which you could configure to take care of all this for you?

  • Related