CORS Allow Origin Not Matching Origin

[WakeOneT]

add_header 'Access-Control-Allow-Origin' '*';

I am using three domains sync api.xx.xx file file.xx.xx note note.xx.xx. and added configuration in nginx and still getting errors, do I need to change it at code level?

[WakeOneT]

version: '3.9'

services:
  standardnotes-web:
    image: ghcr.io/jackyzy823/standardnotes-web:3.191.12
    container_name: app-notes-web
    env_file: ../standard-notes/.env
    cpuset: '0'
    ports:
      - 81:80
    networks:
      standard-notes:
    depends_on:
      standardnotes-api:
        condition: service_healthy
    healthcheck:
      test: curl -s http://localhost
      timeout: 10s
      interval: 5s
    restart: unless-stopped

  standardnotes-api:
    image: standardnotes/server
    container_name: app-notes-api
    env_file: ../standard-notes/.env
    cpuset: '0'
    ports:
      - 3001:3000
      - 3002:3104
    volumes:
      - "$LOG:/var/lib/server/logs"
      - "$STORAGE/uploads:/opt/bundled/files/packages/files/dist/uploads"
    networks:
      standard-notes:
      standard-notes-backend:
      standard-notes-db:
    depends_on:
      localstack:
        condition: service_healthy
      standardnotes-db:
        condition: service_healthy
      standardnotes-cache:
        condition: service_healthy
    healthcheck:
      test: curl -s http://localhost:3000
      timeout: 10s
      interval: 5s
      start_period: 60s
    restart: unless-stopped

  localstack:
    image: localstack/localstack:3.0
    container_name: app-notes-aws
    env_file: ../standard-notes/.env
    cpuset: '0'
    expose:
      - 4566
    volumes:
      - "$STORAGE/localstack_bootstrap.sh:$LS_INIT/localstack_bootstrap.sh"
    networks:
      standard-notes-backend:
      standard-notes-db:
    healthcheck:
      test: curl -s http://localhost:4566/_localstack/health
      timeout: 10s
      interval: 5s
      start_period: 60s
    restart: unless-stopped

  standardnotes-db:
    image: mysql:8
    container_name: db-mysql-notes
    env_file: ../standard-notes/.env
    cpuset: '1'
    expose:
      - 3306
    volumes:
      - "./mysql:/var/lib/mysql"
    networks:
      standard-notes-db:
    healthcheck:
      test: [
        "CMD",
        "mysqladmin",
        "ping",
        "-h", "localhost",
        '-u', 'root',
        '-p$$MYSQL_ROOT_PASSWORD'
      ]
      timeout: 20s
      retries: 10
      start_period: 10s
    restart: unless-stopped

  standardnotes-cache:
    image: redis:7
    container_name: db-redis-notes
    env_file: ../standard-notes/.env
    cpuset: '1'
    user: "${PUID}:${PGID}"
    volumes:
      - "$STORAGE/redis:/data"
    expose:
      - 6379
    networks:
      standard-notes-db:
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 20s
      timeout: 3s
    restart: unless-stopped

networks:
  standard-notes:
    name: standard-notes
  standard-notes-backend:
    name: standard-notes-backend
  standard-notes-db:
    name: standard-notes-db

[jackyzy823]

Hello , could you share the failed request's response header.

---

I searched "CORS Allow Origin Not Matching Origin" in Google, it tells me "Reason: The response includes more than one Access-Control-Allow-Origin. Solution: Make sure the CORS request is configured to include your origin in its Access-Control-Allow-Origin header and only has an Access-Control-Allow-Origin header."

Could you check if the response has multiple Access-Control-Allow-Origin headers.

[WakeOneT]

You can check it out by visiting the website, note.vox.cc

thank you

[WakeOneT]

file.domain.com

nginx file is like this

location ^~ / { proxy_pass http://127.0.0.1:3002; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; add_header X-Cache $upstream_cache_status; add_header Strict-Transport-Security "max-age=31536000"; }

I believe the problem I'm having is with reverse proxies and CORS error.

I tried caddy and kept fixing the parameters and it still doesn't work. If you have a complete reverse proxy configuration you can share it with me!

[WakeOneT]

1

[WakeOneT]

set $cors ''; if ($http_origin ~ '^https?://(note.domain.com)') { set $cors 'true'; }

if ($cors = 'true') { add_header 'Access-Control-Allow-Origin' "$http_origin" always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Allow-Methods' 'GET,HEAD,PUT,PATCH,POST,DELETE' always; add_header 'Access-Control-Allow-Headers' 'content-type,x-application-version,x-snjs-version' always; add_header 'Access-Control-Expose-Headers' 'x-captcha-required' always; }

if ($request_method = 'OPTIONS') {

Tell client that this pre-flight info is valid for 20 days

    add_header 'Access-Control-Max-Age' 1728000;
    add_header 'Content-Type' 'text/plain charset=UTF-8';
    add_header 'Content-Length' 0;
    return 204;

}

set still not work

[jackyzy823]

Hello , you should set cors headers for 'OPTIONS' too

[WakeOneT]

Could you share your configuration and docker with me?

i try 20 times include OPTIONS

[jackyzy823]

Sorry , i use same domain but different path for web, api, files endpoints . so my config is not suitable for you.

[jackyzy823]

Also , i could use "https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/" to bypass the cors problem.

[WakeOneT]

Sorry , i use same domain but different path for web, api, files endpoints . so my config is not suitable for you.

I'd like to change the deployment environment, like you.

like app.domain.com /api /file /web

can you share config to me ?

[WakeOneT]

traefik accessControlAllowHeaders = "https://notes.$DOMAIN" I still haven't found the right way to do nginx and caddy, but the above software was an easy fix.

https://github.com/eric-pierce/Personal-Cloud/blob/d0b49c83c21a81dd89948a154b1aac33fa4dd807/docker-compose.yml#L644 Refer to this person

[WakeOneT]

I tested all the previous versions 3.189.4 before including this one without any problems

[WakeOneT]

Also , i could use "https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/" to bypass the cors problem.

It should be the official code 'Content-Security-Policy': here locks a few official domains, is it possible to change the dockerfile to adapt it here?

[jackyzy823]

This is just dev server which is not included in the image. As i said in the README , you should handle CSP and CORS yourself. you could take the dev server's header as reference.