CORS request not working in Safari

I am making a CORS xhr request. This works fine in chrome, however when I run in safari I get an 'Can not load ---- access not allowed by Access-control-allow-origin'. The code is exactly the same and I have set the CORS on the server. Below is my code.(has access control, but you are free to try without the accessToken)

 var water;

 var req = new XMLHttpRequest;

 req.overrideMimeType("application/json");

 req.open('GET', 'https://storage.googleapis.com/fflog/135172watersupplies_json', true);

 req.setRequestHeader('Authorization', 'Bearer ' + accessToken);

 origThis = this;

 var target = this;

 req.onload = function() {

 water = req;



 req.send(null);

After looking at the request headers I see that a OPTIONS request is made first and this is the request that is not allowed. The origin header is not included in the response in Safari, but is in chrome. What would cause this. Any help would be greatly appreciated.

UPDATE:
I have tried in Safari for Windows and it works, so I'm not sure what is going on here. The mac that I am using is a remote access (Macincloud.com), but I don't think that would have anything to do with it.

edited May 29 '13 at 22:15

asked May 29 '13 at 22:03

Patrick

7,4821664127

add a comment |

 var water;

 var req = new XMLHttpRequest;

 req.overrideMimeType("application/json");

 req.open('GET', 'https://storage.googleapis.com/fflog/135172watersupplies_json', true);

 req.setRequestHeader('Authorization', 'Bearer ' + accessToken);

 origThis = this;

 var target = this;

 req.onload = function() {

 water = req;



 req.send(null);

edited May 29 '13 at 22:15

asked May 29 '13 at 22:03

Patrick

7,4821664127

add a comment |

 var water;

 var req = new XMLHttpRequest;

 req.overrideMimeType("application/json");

 req.open('GET', 'https://storage.googleapis.com/fflog/135172watersupplies_json', true);

 req.setRequestHeader('Authorization', 'Bearer ' + accessToken);

 origThis = this;

 var target = this;

 req.onload = function() {

 water = req;



 req.send(null);

edited May 29 '13 at 22:15

asked May 29 '13 at 22:03

Patrick

7,4821664127

 var water;

 var req = new XMLHttpRequest;

 req.overrideMimeType("application/json");

 req.open('GET', 'https://storage.googleapis.com/fflog/135172watersupplies_json', true);

 req.setRequestHeader('Authorization', 'Bearer ' + accessToken);

 origThis = this;

 var target = this;

 req.onload = function() {

 water = req;



 req.send(null);

javascript safari xmlhttprequest cors

edited May 29 '13 at 22:15

asked May 29 '13 at 22:03

Patrick

7,4821664127

edited May 29 '13 at 22:15

asked May 29 '13 at 22:03

Patrick

7,4821664127

edited May 29 '13 at 22:15

asked May 29 '13 at 22:03

Patrick

7,4821664127

asked May 29 '13 at 22:03

Patrick

7,4821664127

asked May 29 '13 at 22:03

Patrick

7,4821664127

add a comment |

10 Answers
10

active

oldest

votes

I encountered the same error when making an XHR request against a file in Amazon S3. On Safari 7 it was failing. I know you're not using Amazon S3, but I thought I'd post in case this solution helped others.

The problem was that Safari 7 set the Access-Control-Request-Headers header to "origin, x-requested-with", but my AWS CORS configuration only allowed "x-requested-with":

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>x-requested-with</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

I added "origin" as an allowed header and everything worked fine.

        <AllowedHeader>origin</AllowedHeader>

Note: the AllowedOrigin of * is for development purposes only. See @andes comment below for more information.

edited Feb 11 '15 at 16:15

answered Apr 7 '14 at 22:29

Seth

3,86933247

Thank you very much, Seth. You're a lifesaver :P
– leods92
Jun 18 '14 at 3:42

I know we're not supposed to say "Thanks" but holy crap I've been battling this thing with Safari for a long time! That did the trick!
– teewuane
Nov 27 '14 at 1:16

5

If you're following this example, please note that using * for AllowedOrigin is really meant for dev environments - you should use a white list in production, for most use cases. Here's an example for implementing a whitelist: github.com/monsur/CORSinAction/blob/master/ch07/listing-7.1/…
– andes
Feb 11 '15 at 16:12

add a comment |

Thanks for all the responses, I got this finally myself. I added 'Origin' to my responseHeaders and works fine now.

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

25

Could you elaborate a bit about the response.
– Sohaib
Oct 7 '15 at 9:54

1

Which kind of header? and where to put it? can you please add the exact steps with code?
– Umesh Patadiya
Dec 21 '18 at 12:49

add a comment |

I just had a similar problem, CORS error. It would work in Firefox & Chrome but not Safari 10.

Turned out we needed to put the trailing slash on the JSON URL.

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

1

no effect for me...
– kfn
Jul 25 '18 at 10:03

this worked for me. Thanks.
– Suraj Air
Nov 19 '18 at 5:39

add a comment |

For CORS request you should be using your origin fflog.storage.googleapis.com. If you use common storage.googleapis.com origin, any site can access to your bucket.

have try try remove overrideMimeType? If you set mime type, it will return correctly.

I also have problem with Safari POST request, but no answer yet. GET is OK.

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

I did try and it did not work...also tried the other url with no luck :/
– Patrick
Jun 7 '13 at 16:56

add a comment |

try to remove overide mimetype.

 var

 jsonhandler=function(){var req=JSON.parse(this.response);console.log(req)},

 req=new XMLHttpRequest;

 req.open('GET','https://storage.googleapis.com/fflog/135172watersupplies_json');

 req.setRequestHeader('Authorization','Bearer '+accessToken);

 req.onload=jsonhandler;

 req.send();

answered Jun 6 '13 at 11:59

cocco

12.3k64068

did not work for me...
– Patrick
Jun 7 '13 at 16:54

add a comment |

When I query your URL I'm getting back the following Access-Control headers:

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Authorization, Cache-Control, Content-Length, Date, Expires, Server, Transfer-Encoding, x-goog-meta-foo1

I suspect it has something to do with your Access-Control headers - either you're leaving something out, or being too specific.

Given that you're actually sending a custom header, you may want to try:

Access-Control-Allow-Headers: *

You could also see if leaving out Access-Control-Expose-Headers makes a difference.

Beyond that, it would actually be helpful to see the actual request / response headers.

answered Jun 9 '13 at 21:50

Luke

8,38423374

Access-Control-Allow-Headers doesn't allow wildcard, it has to be an exact match - w3.org/TR/cors/#access-control-allow-headers-response-header
– Jérémy F.
Oct 15 '14 at 23:31

add a comment |

When I try

curl -v -X OPTIONS 

  -H 'Origin: fflog.storage.googleapis.com' 

  -H 'Access-Control-Request-Method: GET'  

  https://storage.googleapis.com/fflog/135172watersupplies_json

I get, among other headers:

Access-Control-Allow-Origin: *

When I execute AJAX requests against https://storage.googleapis.com/fflog/135172watersupplies_json from Safari 6.0.4 on Mac OS 10.8.3 I get 403 errors, but they do all execute.

So I can only guess that you are trying to send a credentialed request for which a wildcard Access-Control-Allow-Origin is not allowed.

edited Jun 9 '13 at 22:00

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

Thanks for the post. but to really test CORS with cURL you need to set the origin header to simulate the browser environment.
– Patrick
Jun 9 '13 at 21:36

add a comment |

As for Amazon S3, it only worked in safari after I added more allowed headers, Content-Type and Range. One of these did the job.

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>POST</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>Origin</AllowedHeader>

        <AllowedHeader>X-Requested-With</AllowedHeader>

        <AllowedHeader>Content-Type</AllowedHeader>

        <AllowedHeader>Range</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

answered Feb 3 '17 at 19:12

Edhowler

407311

add a comment |

I had the same problem where CORS worked in Chrome, but threw an origin error in Safari. Turned out it was a Kerberos authorization issue. When I loaded the XHR URL directly in Safari, I was prompted for credentials. After entering them, I returned to the original site, and Safari no longer had the CORS error.

answered Apr 18 '18 at 17:55

Seth Moore

464

add a comment |

In my case, it was an issue for Accept-Langauge header. I have added Accept-Language inside Access-Control-Allow-Headers and it got resolved.

answered Nov 12 '18 at 13:06

deen

85631732

add a comment |

protected by Samuel Liew♦ Aug 22 '14 at 6:30

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).

Would you like to answer one of these unanswered questions instead?

10 Answers
10

active

oldest

votes

10 Answers
10

active

oldest

votes

The problem was that Safari 7 set the Access-Control-Request-Headers header to "origin, x-requested-with", but my AWS CORS configuration only allowed "x-requested-with":

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>x-requested-with</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

I added "origin" as an allowed header and everything worked fine.

        <AllowedHeader>origin</AllowedHeader>

Note: the AllowedOrigin of * is for development purposes only. See @andes comment below for more information.

edited Feb 11 '15 at 16:15

answered Apr 7 '14 at 22:29

Seth

3,86933247

Thank you very much, Seth. You're a lifesaver :P
– leods92
Jun 18 '14 at 3:42

I know we're not supposed to say "Thanks" but holy crap I've been battling this thing with Safari for a long time! That did the trick!
– teewuane
Nov 27 '14 at 1:16

5

If you're following this example, please note that using * for AllowedOrigin is really meant for dev environments - you should use a white list in production, for most use cases. Here's an example for implementing a whitelist: github.com/monsur/CORSinAction/blob/master/ch07/listing-7.1/…
– andes
Feb 11 '15 at 16:12

add a comment |

The problem was that Safari 7 set the Access-Control-Request-Headers header to "origin, x-requested-with", but my AWS CORS configuration only allowed "x-requested-with":

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>x-requested-with</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

I added "origin" as an allowed header and everything worked fine.

        <AllowedHeader>origin</AllowedHeader>

Note: the AllowedOrigin of * is for development purposes only. See @andes comment below for more information.

edited Feb 11 '15 at 16:15

answered Apr 7 '14 at 22:29

Seth

3,86933247

Thank you very much, Seth. You're a lifesaver :P
– leods92
Jun 18 '14 at 3:42

I know we're not supposed to say "Thanks" but holy crap I've been battling this thing with Safari for a long time! That did the trick!
– teewuane
Nov 27 '14 at 1:16

5

If you're following this example, please note that using * for AllowedOrigin is really meant for dev environments - you should use a white list in production, for most use cases. Here's an example for implementing a whitelist: github.com/monsur/CORSinAction/blob/master/ch07/listing-7.1/…
– andes
Feb 11 '15 at 16:12

add a comment |

The problem was that Safari 7 set the Access-Control-Request-Headers header to "origin, x-requested-with", but my AWS CORS configuration only allowed "x-requested-with":

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>x-requested-with</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

I added "origin" as an allowed header and everything worked fine.

        <AllowedHeader>origin</AllowedHeader>

Note: the AllowedOrigin of * is for development purposes only. See @andes comment below for more information.

edited Feb 11 '15 at 16:15

answered Apr 7 '14 at 22:29

Seth

3,86933247

The problem was that Safari 7 set the Access-Control-Request-Headers header to "origin, x-requested-with", but my AWS CORS configuration only allowed "x-requested-with":

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>x-requested-with</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

I added "origin" as an allowed header and everything worked fine.

        <AllowedHeader>origin</AllowedHeader>

Note: the AllowedOrigin of * is for development purposes only. See @andes comment below for more information.

edited Feb 11 '15 at 16:15

answered Apr 7 '14 at 22:29

Seth

3,86933247

edited Feb 11 '15 at 16:15

answered Apr 7 '14 at 22:29

Seth

3,86933247

answered Apr 7 '14 at 22:29

Seth

3,86933247

answered Apr 7 '14 at 22:29

Seth

3,86933247

Thank you very much, Seth. You're a lifesaver :P
– leods92
Jun 18 '14 at 3:42

I know we're not supposed to say "Thanks" but holy crap I've been battling this thing with Safari for a long time! That did the trick!
– teewuane
Nov 27 '14 at 1:16

5

If you're following this example, please note that using * for AllowedOrigin is really meant for dev environments - you should use a white list in production, for most use cases. Here's an example for implementing a whitelist: github.com/monsur/CORSinAction/blob/master/ch07/listing-7.1/…
– andes
Feb 11 '15 at 16:12

add a comment |

Thank you very much, Seth. You're a lifesaver :P
– leods92
Jun 18 '14 at 3:42

I know we're not supposed to say "Thanks" but holy crap I've been battling this thing with Safari for a long time! That did the trick!
– teewuane
Nov 27 '14 at 1:16

5

If you're following this example, please note that using * for AllowedOrigin is really meant for dev environments - you should use a white list in production, for most use cases. Here's an example for implementing a whitelist: github.com/monsur/CORSinAction/blob/master/ch07/listing-7.1/…
– andes
Feb 11 '15 at 16:12

Thank you very much, Seth. You're a lifesaver :P
– leods92
Jun 18 '14 at 3:42

I know we're not supposed to say "Thanks" but holy crap I've been battling this thing with Safari for a long time! That did the trick!
– teewuane
Nov 27 '14 at 1:16

If you're following this example, please note that using * for AllowedOrigin is really meant for dev environments - you should use a white list in production, for most use cases. Here's an example for implementing a whitelist: github.com/monsur/CORSinAction/blob/master/ch07/listing-7.1/…
– andes
Feb 11 '15 at 16:12

add a comment |

Thanks for all the responses, I got this finally myself. I added 'Origin' to my responseHeaders and works fine now.

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

25

Could you elaborate a bit about the response.
– Sohaib
Oct 7 '15 at 9:54

1

Which kind of header? and where to put it? can you please add the exact steps with code?
– Umesh Patadiya
Dec 21 '18 at 12:49

add a comment |

Thanks for all the responses, I got this finally myself. I added 'Origin' to my responseHeaders and works fine now.

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

25

Could you elaborate a bit about the response.
– Sohaib
Oct 7 '15 at 9:54

1

Which kind of header? and where to put it? can you please add the exact steps with code?
– Umesh Patadiya
Dec 21 '18 at 12:49

add a comment |

Thanks for all the responses, I got this finally myself. I added 'Origin' to my responseHeaders and works fine now.

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

Thanks for all the responses, I got this finally myself. I added 'Origin' to my responseHeaders and works fine now.

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

answered Jun 9 '13 at 22:11

Patrick

7,4821664127

25

Could you elaborate a bit about the response.
– Sohaib
Oct 7 '15 at 9:54

1

Which kind of header? and where to put it? can you please add the exact steps with code?
– Umesh Patadiya
Dec 21 '18 at 12:49

add a comment |

25

Could you elaborate a bit about the response.
– Sohaib
Oct 7 '15 at 9:54

1

Which kind of header? and where to put it? can you please add the exact steps with code?
– Umesh Patadiya
Dec 21 '18 at 12:49

Could you elaborate a bit about the response.
– Sohaib
Oct 7 '15 at 9:54

Which kind of header? and where to put it? can you please add the exact steps with code?
– Umesh Patadiya
Dec 21 '18 at 12:49

add a comment |

I just had a similar problem, CORS error. It would work in Firefox & Chrome but not Safari 10.

Turned out we needed to put the trailing slash on the JSON URL.

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

1

no effect for me...
– kfn
Jul 25 '18 at 10:03

this worked for me. Thanks.
– Suraj Air
Nov 19 '18 at 5:39

add a comment |

I just had a similar problem, CORS error. It would work in Firefox & Chrome but not Safari 10.

Turned out we needed to put the trailing slash on the JSON URL.

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

1

no effect for me...
– kfn
Jul 25 '18 at 10:03

this worked for me. Thanks.
– Suraj Air
Nov 19 '18 at 5:39

add a comment |

I just had a similar problem, CORS error. It would work in Firefox & Chrome but not Safari 10.

Turned out we needed to put the trailing slash on the JSON URL.

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

I just had a similar problem, CORS error. It would work in Firefox & Chrome but not Safari 10.

Turned out we needed to put the trailing slash on the JSON URL.

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

answered Oct 5 '16 at 13:25

William Macdonald

1,34121424

1

no effect for me...
– kfn
Jul 25 '18 at 10:03

this worked for me. Thanks.
– Suraj Air
Nov 19 '18 at 5:39

add a comment |

1

no effect for me...
– kfn
Jul 25 '18 at 10:03

this worked for me. Thanks.
– Suraj Air
Nov 19 '18 at 5:39

no effect for me...
– kfn
Jul 25 '18 at 10:03

this worked for me. Thanks.
– Suraj Air
Nov 19 '18 at 5:39

add a comment |

For CORS request you should be using your origin fflog.storage.googleapis.com. If you use common storage.googleapis.com origin, any site can access to your bucket.

have try try remove overrideMimeType? If you set mime type, it will return correctly.

I also have problem with Safari POST request, but no answer yet. GET is OK.

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

I did try and it did not work...also tried the other url with no luck :/
– Patrick
Jun 7 '13 at 16:56

add a comment |

For CORS request you should be using your origin fflog.storage.googleapis.com. If you use common storage.googleapis.com origin, any site can access to your bucket.

have try try remove overrideMimeType? If you set mime type, it will return correctly.

I also have problem with Safari POST request, but no answer yet. GET is OK.

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

I did try and it did not work...also tried the other url with no luck :/
– Patrick
Jun 7 '13 at 16:56

add a comment |

For CORS request you should be using your origin fflog.storage.googleapis.com. If you use common storage.googleapis.com origin, any site can access to your bucket.

have try try remove overrideMimeType? If you set mime type, it will return correctly.

I also have problem with Safari POST request, but no answer yet. GET is OK.

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

For CORS request you should be using your origin fflog.storage.googleapis.com. If you use common storage.googleapis.com origin, any site can access to your bucket.

have try try remove overrideMimeType? If you set mime type, it will return correctly.

I also have problem with Safari POST request, but no answer yet. GET is OK.

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

answered May 30 '13 at 8:22

Kyaw Tun

6,44112046

I did try and it did not work...also tried the other url with no luck :/
– Patrick
Jun 7 '13 at 16:56

add a comment |

I did try and it did not work...also tried the other url with no luck :/
– Patrick
Jun 7 '13 at 16:56

I did try and it did not work...also tried the other url with no luck :/
– Patrick
Jun 7 '13 at 16:56

add a comment |

try to remove overide mimetype.

 var

 jsonhandler=function(){var req=JSON.parse(this.response);console.log(req)},

 req=new XMLHttpRequest;

 req.open('GET','https://storage.googleapis.com/fflog/135172watersupplies_json');

 req.setRequestHeader('Authorization','Bearer '+accessToken);

 req.onload=jsonhandler;

 req.send();

answered Jun 6 '13 at 11:59

cocco

12.3k64068

did not work for me...
– Patrick
Jun 7 '13 at 16:54

add a comment |

try to remove overide mimetype.

 var

 jsonhandler=function(){var req=JSON.parse(this.response);console.log(req)},

 req=new XMLHttpRequest;

 req.open('GET','https://storage.googleapis.com/fflog/135172watersupplies_json');

 req.setRequestHeader('Authorization','Bearer '+accessToken);

 req.onload=jsonhandler;

 req.send();

answered Jun 6 '13 at 11:59

cocco

12.3k64068

did not work for me...
– Patrick
Jun 7 '13 at 16:54

add a comment |

try to remove overide mimetype.

 var

 jsonhandler=function(){var req=JSON.parse(this.response);console.log(req)},

 req=new XMLHttpRequest;

 req.open('GET','https://storage.googleapis.com/fflog/135172watersupplies_json');

 req.setRequestHeader('Authorization','Bearer '+accessToken);

 req.onload=jsonhandler;

 req.send();

answered Jun 6 '13 at 11:59

cocco

12.3k64068

try to remove overide mimetype.

 var

 jsonhandler=function(){var req=JSON.parse(this.response);console.log(req)},

 req=new XMLHttpRequest;

 req.open('GET','https://storage.googleapis.com/fflog/135172watersupplies_json');

 req.setRequestHeader('Authorization','Bearer '+accessToken);

 req.onload=jsonhandler;

 req.send();

answered Jun 6 '13 at 11:59

cocco

12.3k64068

answered Jun 6 '13 at 11:59

cocco

12.3k64068

answered Jun 6 '13 at 11:59

cocco

12.3k64068

answered Jun 6 '13 at 11:59

cocco

12.3k64068

did not work for me...
– Patrick
Jun 7 '13 at 16:54

add a comment |

did not work for me...
– Patrick
Jun 7 '13 at 16:54

did not work for me...
– Patrick
Jun 7 '13 at 16:54

add a comment |

When I query your URL I'm getting back the following Access-Control headers:

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Authorization, Cache-Control, Content-Length, Date, Expires, Server, Transfer-Encoding, x-goog-meta-foo1

I suspect it has something to do with your Access-Control headers - either you're leaving something out, or being too specific.

Given that you're actually sending a custom header, you may want to try:

Access-Control-Allow-Headers: *

You could also see if leaving out Access-Control-Expose-Headers makes a difference.

Beyond that, it would actually be helpful to see the actual request / response headers.

answered Jun 9 '13 at 21:50

Luke

8,38423374

Access-Control-Allow-Headers doesn't allow wildcard, it has to be an exact match - w3.org/TR/cors/#access-control-allow-headers-response-header
– Jérémy F.
Oct 15 '14 at 23:31

add a comment |

When I query your URL I'm getting back the following Access-Control headers:

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Authorization, Cache-Control, Content-Length, Date, Expires, Server, Transfer-Encoding, x-goog-meta-foo1

I suspect it has something to do with your Access-Control headers - either you're leaving something out, or being too specific.

Given that you're actually sending a custom header, you may want to try:

Access-Control-Allow-Headers: *

You could also see if leaving out Access-Control-Expose-Headers makes a difference.

Beyond that, it would actually be helpful to see the actual request / response headers.

answered Jun 9 '13 at 21:50

Luke

8,38423374

Access-Control-Allow-Headers doesn't allow wildcard, it has to be an exact match - w3.org/TR/cors/#access-control-allow-headers-response-header
– Jérémy F.
Oct 15 '14 at 23:31

add a comment |

When I query your URL I'm getting back the following Access-Control headers:

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Authorization, Cache-Control, Content-Length, Date, Expires, Server, Transfer-Encoding, x-goog-meta-foo1

I suspect it has something to do with your Access-Control headers - either you're leaving something out, or being too specific.

Given that you're actually sending a custom header, you may want to try:

Access-Control-Allow-Headers: *

You could also see if leaving out Access-Control-Expose-Headers makes a difference.

Beyond that, it would actually be helpful to see the actual request / response headers.

answered Jun 9 '13 at 21:50

Luke

8,38423374

When I query your URL I'm getting back the following Access-Control headers:

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Authorization, Cache-Control, Content-Length, Date, Expires, Server, Transfer-Encoding, x-goog-meta-foo1

I suspect it has something to do with your Access-Control headers - either you're leaving something out, or being too specific.

Given that you're actually sending a custom header, you may want to try:

Access-Control-Allow-Headers: *

You could also see if leaving out Access-Control-Expose-Headers makes a difference.

Beyond that, it would actually be helpful to see the actual request / response headers.

answered Jun 9 '13 at 21:50

Luke

8,38423374

answered Jun 9 '13 at 21:50

Luke

8,38423374

answered Jun 9 '13 at 21:50

Luke

8,38423374

answered Jun 9 '13 at 21:50

Luke

8,38423374

Access-Control-Allow-Headers doesn't allow wildcard, it has to be an exact match - w3.org/TR/cors/#access-control-allow-headers-response-header
– Jérémy F.
Oct 15 '14 at 23:31

add a comment |

Access-Control-Allow-Headers doesn't allow wildcard, it has to be an exact match - w3.org/TR/cors/#access-control-allow-headers-response-header
– Jérémy F.
Oct 15 '14 at 23:31

Access-Control-Allow-Headers doesn't allow wildcard, it has to be an exact match - w3.org/TR/cors/#access-control-allow-headers-response-header
– Jérémy F.
Oct 15 '14 at 23:31

add a comment |

When I try

curl -v -X OPTIONS 

  -H 'Origin: fflog.storage.googleapis.com' 

  -H 'Access-Control-Request-Method: GET'  

  https://storage.googleapis.com/fflog/135172watersupplies_json

I get, among other headers:

Access-Control-Allow-Origin: *

When I execute AJAX requests against https://storage.googleapis.com/fflog/135172watersupplies_json from Safari 6.0.4 on Mac OS 10.8.3 I get 403 errors, but they do all execute.

So I can only guess that you are trying to send a credentialed request for which a wildcard Access-Control-Allow-Origin is not allowed.

edited Jun 9 '13 at 22:00

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

Thanks for the post. but to really test CORS with cURL you need to set the origin header to simulate the browser environment.
– Patrick
Jun 9 '13 at 21:36

add a comment |

When I try

curl -v -X OPTIONS 

  -H 'Origin: fflog.storage.googleapis.com' 

  -H 'Access-Control-Request-Method: GET'  

  https://storage.googleapis.com/fflog/135172watersupplies_json

I get, among other headers:

Access-Control-Allow-Origin: *

When I execute AJAX requests against https://storage.googleapis.com/fflog/135172watersupplies_json from Safari 6.0.4 on Mac OS 10.8.3 I get 403 errors, but they do all execute.

So I can only guess that you are trying to send a credentialed request for which a wildcard Access-Control-Allow-Origin is not allowed.

edited Jun 9 '13 at 22:00

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

Thanks for the post. but to really test CORS with cURL you need to set the origin header to simulate the browser environment.
– Patrick
Jun 9 '13 at 21:36

add a comment |

When I try

curl -v -X OPTIONS 

  -H 'Origin: fflog.storage.googleapis.com' 

  -H 'Access-Control-Request-Method: GET'  

  https://storage.googleapis.com/fflog/135172watersupplies_json

I get, among other headers:

Access-Control-Allow-Origin: *

When I execute AJAX requests against https://storage.googleapis.com/fflog/135172watersupplies_json from Safari 6.0.4 on Mac OS 10.8.3 I get 403 errors, but they do all execute.

So I can only guess that you are trying to send a credentialed request for which a wildcard Access-Control-Allow-Origin is not allowed.

edited Jun 9 '13 at 22:00

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

When I try

curl -v -X OPTIONS 

  -H 'Origin: fflog.storage.googleapis.com' 

  -H 'Access-Control-Request-Method: GET'  

  https://storage.googleapis.com/fflog/135172watersupplies_json

I get, among other headers:

Access-Control-Allow-Origin: *

When I execute AJAX requests against https://storage.googleapis.com/fflog/135172watersupplies_json from Safari 6.0.4 on Mac OS 10.8.3 I get 403 errors, but they do all execute.

So I can only guess that you are trying to send a credentialed request for which a wildcard Access-Control-Allow-Origin is not allowed.

edited Jun 9 '13 at 22:00

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

edited Jun 9 '13 at 22:00

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

answered Jun 5 '13 at 5:24

Old Pro

14.1k23765

Thanks for the post. but to really test CORS with cURL you need to set the origin header to simulate the browser environment.
– Patrick
Jun 9 '13 at 21:36

add a comment |

Thanks for the post. but to really test CORS with cURL you need to set the origin header to simulate the browser environment.
– Patrick
Jun 9 '13 at 21:36

Thanks for the post. but to really test CORS with cURL you need to set the origin header to simulate the browser environment.
– Patrick
Jun 9 '13 at 21:36

add a comment |

As for Amazon S3, it only worked in safari after I added more allowed headers, Content-Type and Range. One of these did the job.

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>POST</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>Origin</AllowedHeader>

        <AllowedHeader>X-Requested-With</AllowedHeader>

        <AllowedHeader>Content-Type</AllowedHeader>

        <AllowedHeader>Range</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

answered Feb 3 '17 at 19:12

Edhowler

407311

add a comment |

As for Amazon S3, it only worked in safari after I added more allowed headers, Content-Type and Range. One of these did the job.

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>POST</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>Origin</AllowedHeader>

        <AllowedHeader>X-Requested-With</AllowedHeader>

        <AllowedHeader>Content-Type</AllowedHeader>

        <AllowedHeader>Range</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

answered Feb 3 '17 at 19:12

Edhowler

407311

add a comment |

As for Amazon S3, it only worked in safari after I added more allowed headers, Content-Type and Range. One of these did the job.

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>POST</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>Origin</AllowedHeader>

        <AllowedHeader>X-Requested-With</AllowedHeader>

        <AllowedHeader>Content-Type</AllowedHeader>

        <AllowedHeader>Range</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

answered Feb 3 '17 at 19:12

Edhowler

407311

As for Amazon S3, it only worked in safari after I added more allowed headers, Content-Type and Range. One of these did the job.

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>POST</AllowedMethod>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>Origin</AllowedHeader>

        <AllowedHeader>X-Requested-With</AllowedHeader>

        <AllowedHeader>Content-Type</AllowedHeader>

        <AllowedHeader>Range</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

answered Feb 3 '17 at 19:12

Edhowler

407311

answered Feb 3 '17 at 19:12

Edhowler

407311

answered Feb 3 '17 at 19:12

Edhowler

407311

answered Feb 3 '17 at 19:12

Edhowler

407311

add a comment |

answered Apr 18 '18 at 17:55

Seth Moore

464

add a comment |

answered Apr 18 '18 at 17:55

Seth Moore

464

add a comment |

answered Apr 18 '18 at 17:55

Seth Moore

464

answered Apr 18 '18 at 17:55

Seth Moore

464

answered Apr 18 '18 at 17:55

Seth Moore

464

answered Apr 18 '18 at 17:55

Seth Moore

464

answered Apr 18 '18 at 17:55

Seth Moore

464

add a comment |

In my case, it was an issue for Accept-Langauge header. I have added Accept-Language inside Access-Control-Allow-Headers and it got resolved.

answered Nov 12 '18 at 13:06

deen

85631732

add a comment |

In my case, it was an issue for Accept-Langauge header. I have added Accept-Language inside Access-Control-Allow-Headers and it got resolved.

answered Nov 12 '18 at 13:06

deen

85631732

add a comment |

In my case, it was an issue for Accept-Langauge header. I have added Accept-Language inside Access-Control-Allow-Headers and it got resolved.

answered Nov 12 '18 at 13:06

deen

85631732

In my case, it was an issue for Accept-Langauge header. I have added Accept-Language inside Access-Control-Allow-Headers and it got resolved.

answered Nov 12 '18 at 13:06

deen

85631732

answered Nov 12 '18 at 13:06

deen

85631732

answered Nov 12 '18 at 13:06

deen

85631732

answered Nov 12 '18 at 13:06

deen

85631732

add a comment |

protected by Samuel Liew♦ Aug 22 '14 at 6:30

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Nrthugu