Topic: Access To Website Blocked By CORS Policy

[apishdad]

Hi,
I am getting the following error for CORS policy and below is my configuration in my .conf file.

The error is :

Access to XMLHttpRequest at 'https://mywebsite.com/dir1/api/login' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.


I am just showing below the sections that relate to CORST policy. I cant post the whole virtualhost because its too long.


<VirtualHost 10.36.1.2:443>
ServerName mywebsite.com

Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
Header always set Pragma "no-cache"

#---------------------------------------------------------------------CORS POLICY--------------------------------------------------------------------
SetEnvIf Origin "http(s)?://(www\.)?(q-iris.awsdev-univeris.com|website1.com|website2.com|allotherwebsites.com|etc,etc.com)$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header append Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT, HEAD"
Header append Access-Control-Max-Age "600"
Header append Access-Control-Allow-Headers "x-requested-with, Content-Type, Authorization, origin, accept, x-api-key"
Header append Access-Control-Allow-Credentials "true"


</VirtualHost>


Your response is greatly appreciated.

[James Blond]

it seems that Access-Control-Allow-Origin is not set correctly.

Can you open the developer tools in your browser and see a more detailed error message?