Access-Control-Allow-Origin is there, but isn't working!

(Olivier Lambert) #1

Hey, I’ve submited my post too soon. Here’s the full post

Hey guys!

I’m working on a discourse project where I have a discourse install alongside a wordpress install.

So I’ve got “” and “”.

Everything works fine.

However, I’d like to have the same top nav on both sites. That way, users could see their notifications whilst reading a blog post per say.

So I’m trying to load the top nav through an ajax load() request. However, I get this error:

XMLHttpRequest cannot load
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin '' is therefore not allowed access.
The response had HTTP status code 403.

I’ve added this in my nginx server block:

add_header 'Access-Control-Allow-Origin';
add_header 'X-Frame-Options';

And I’ve changed my app.yml file as to include this:


Here is the complete server block from my nginx.config:

	server {
		listen 80; listen [::]:80;
		listen 443 ssl;

		add_header 'Access-Control-Allow-Origin';
		add_header 'X-Frame-Options';

		ssl_certificate /etc/nginx/ssl/ssl.crt;
        ssl_certificate_key /etc/nginx/ssl/ssl.key;

        if ($scheme = http) {
        	return 301 https://$server_name$request_uri;

		location / {
			proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
			proxy_set_header Host $http_host;
			proxy_http_version 1.1;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Any tips would be greatly appreciated!

(Rafael dos Santos Silva) #2

XMLHttpRequest cannot load The ‘Access-Control-Allow-Origin’ header contains multiple values ‘*,’, but only one is allowed. Origin ‘’ is therefore not allowed access.

Use only instead of *

(Olivier Lambert) #3

Hi! Thank you for your support.

I was getting an error because I was trying to pass post data through my .load() ajax call.