Access-Control-Allow-Origin is there, but isn't working!


(Olivier Lambert) #1

Hey, I’ve submited my post too soon. Here’s the full post


Hey guys!

I’m working on a discourse project where I have a discourse install alongside a wordpress install.

So I’ve got “forum.latranchee.com” and “www.latranchee.com”.

Everything works fine.

However, I’d like to have the same top nav on both sites. That way, users could see their notifications whilst reading a blog post per say.

So I’m trying to load the top nav through an ajax load() request. However, I get this error:

XMLHttpRequest cannot load https://forum.latranchee.com/.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://www.olivierlambert.ca' is therefore not allowed access.
The response had HTTP status code 403.

I’ve added this in my nginx server block:

add_header 'Access-Control-Allow-Origin' https://www.latranchee.com;
add_header 'X-Frame-Options' https://www.latranchee.com;

And I’ve changed my app.yml file as to include this:

DISCOURSE_ENABLE_CORS: true
DISCOURSE_CORS_ORIGIN: '*'

Here is the complete server block from my nginx.config:

	server {
		listen 80; listen [::]:80;
		listen 443 ssl;
		server_name forum.latranchee.com;

		add_header 'Access-Control-Allow-Origin' https://www.latranchee.com;
		add_header 'X-Frame-Options' https://www.latranchee.com;

		ssl_certificate /etc/nginx/ssl/ssl.crt;
        ssl_certificate_key /etc/nginx/ssl/ssl.key;

        if ($scheme = http) {
        	return 301 https://$server_name$request_uri;
    	}

		location / {
			proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
			proxy_set_header Host $http_host;
			proxy_http_version 1.1;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		}
	}

Any tips would be greatly appreciated!


(Rafael dos Santos Silva) #2

XMLHttpRequest cannot load https://forum.latranchee.com/. The ‘Access-Control-Allow-Origin’ header contains multiple values ‘*, https://www.latranchee.com’, but only one is allowed. Origin ‘http://www.latranchee.com’ is therefore not allowed access.


Use only https://www.latranchee.com instead of *


(Olivier Lambert) #3

Hi! Thank you for your support.

I was getting an error because I was trying to pass post data through my .load() ajax call.