No 'Access-Control-Allow-Origin' header is present despite setting DISCOURSE_ENABLE_CORS: true

I added the following statements in our app.yml


Temporarily set ‘*’ to eliminate variables while testing. I have also attempted setting urls explicitly to no avail.

However, despite the above, we still get


No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Context: We have a unity based iOS client that interfaces with some discourse APIS and for testing we use WebGL. And we face this issue when testing on our browsers running WebGL specifically.

I am also observing from postman tests that all requests have a ‘strict-origin-when-cross-origin’ Referrer-Policy in the response headers.

Any help is appreciated. Thank you!

cors origins setting is controlled in admin > settings > security

you only need DISCOURSE_ENABLE_CORS: in your app.yml

1 Like

I attempted and tested this as well

And for our single site setup setting origin in .yml vs. the admin ui should have the same effect per: What is the purpose of Settings -> Security -> CORS origins vs similar environment setting?

1 Like

I’m not sure we support the wildcard here. Can you try it with a real domain? We are using the cors settings in a couple sites with domains configured and it appears to work fine.

1 Like

i also have it set on one of my sites and it does work

1 Like

I attempted with a domain, no luck. Is there a way to confirm that the env vars are set correctly? (or that the app restart configured the cors without resending requests, just trying to think of ways to debug).

I think this is the part of code that handles the cors settings, just in case it is useful.

1 Like

Within the ngnix access logs I notice that the OPTIONS call returns a 404 (and precedes the error on the GET call)

1 Like