XMLHttpRequest cannot load http://127.0.0.1:8000/api/login_check. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

[RobertRajcool]

XMLHttpRequest cannot load http://127.0.0.1:8000/api/login_check. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

[RobertRajcool]

still i got this issue

[northys]

@RobertRajcool please include your configuration so we can help you :)

[gmoreira]

I am currently investigating an issue I have in a new app using Symfony 3.2 that seems similar to this @RobertRajcool, are you also using Symfony 3.2 aswell?

In firebug console I see:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8005/.../ (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

However, it would seem that the root cause of this is that the preflight OPTIONS request is failing with a HTTP 500 error.

In the method CorsListener::getPreflightResponse() on Line 114, when allow_headers is true, it is expecting the Access-Control-Request-Headers to be specified, which in my scenario is not the case where a DELETE request only has the header Access-Control-Request-Method: DELETE provided. So, on this line $headers is null.

Now it would seem this wasn't a problem until the RequestDataCollector in symfony/http-kernel was recently updated in 3.2 to use a different method for parsing headers. Given that the header Access-Control-Request-Headers is null (or empty array once in the HeaderBag), it throws an exception when evaluating $v[0] on Line 128.

To solve this, we can:

1. Change symfony/http-kernel to better check that $v[0] exists on line 128.
2. Change CorsListener to only set Access-Control-Request-Headers when a value is provided.

For now, I've provided a pull requests #69 for option (2) and will add a comment in symfony/http-kernel regarding this.

[BallisticPain]

EDIT (resolved): So my issue was that I was clearing my dev cache, but when calling my localhost domain, it was "prod" so it needed to be cleared so it could pickup the NelmioCorsBundle configurations and such.

I'm also having this issue, however, I'm on Symfony 2.8 currently.

I have tried many different nelmio_cors configurations... below are the two that I'm trying currently to no avail...

nelmio_cors:
    paths:
       "^/":
          allow_credentials: true
          origin_regex: false
          allow_origin: ['*']
          allow_headers: ['Origin','Accept','Content-Type']
          allow_methods: ['POST','GET','DELETE','PUT','OPTIONS']
          max_age: 3600

and

nelmio_cors:
    defaults:
        allow_origin: ["*"]
        allow_headers: ["*"]
        allow_methods: ["POST", "PUT", "GET", "DELETE", "OPTIONS"]
        max_age: 3600
        origin_regex: false
    paths:
        '^/': ~

I have the bundle initialized in AppKernel.php. However, I can't even tell if the bundle is doing anything for me since this issue isn't being resolved. I thought having this CORS bundle it would properly respond to OPTIONS requests.

[codereviewvideos]

I too hit on a similar issue this morning. In my case it was that I had updated to PHP7.1, but had not started the correct FPM service (the config for 7.0 was still running). It might be that this is a symptom of a problem further down your stack, and this error is a bit misleading.

[BallisticPain]

@codereviewvideos Yes the error is misleading because it can simply signify a server error instead of an actual CORS issue. I had to dig into my logs to figure out I hadn't cleared the correct environment's cache.

[RobertRajcool]

this is my configure file

nelmio_cors: defaults: allow_credentials: false allow_origin: [] allow_headers: [] allow_methods: [] expose_headers: [] max_age: 0 hosts: [] origin_regex: false paths: '^/': allow_origin: [''] allow_headers: [''] allow_methods: ['POST', 'PUT', 'GET', 'DELETE'] max_age: 3600 112,1 Bot

[BallisticPain]

@RobertRajcool You can put code in code blocks using three back ticks on the line above and below code...

Like so ... (this is three back ticks ```)

Secondly, here is my working configuration... which I may have snagged out of this thread...

nelmio_cors:
    paths:
       "^/":
          allow_credentials: false
          origin_regex: false
          allow_origin: ['*']
          allow_headers: ['Origin','Accept','Content-Type']
          allow_methods: ['POST','GET','DELETE','PUT','OPTIONS']
          max_age: 3600

[RobertRajcool]

@BallisticPain attach config.yml file

[reneszabo]

Same here, with local dev, using docker I get

Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains the invalid value 'null'. Origin 'http://localhost:3030' is therefore not allowed access.

But on dev server requests come in ok.

nelmio_cors:
  defaults:
      allow_credentials: false
      allow_origin: []
      allow_headers: []
      allow_methods: []
      expose_headers: []
      max_age: 0
      hosts: []
      origin_regex: false
  paths:
      '^/':
          origin_regex: true
          allow_origin: ['^http://localhost:[0-9]+', '^http://example.com:[0-9]+', '^https://example.gitlab.io']
          allow_headers: ['*']
          allow_methods: ['POST', 'PUT', 'GET', 'DELETE','OPTIONS', 'PATCH']
          max_age: 3600
          hosts: ['\.'] 

[rsaenen]

Same issue with Symfony 3.2.3 with this configuration :

nelmio_cors:
    defaults:
        allow_origin:  ["%cors_allow_origin%"]
        allow_headers: ["content-type", "authorization"]
        allow_methods: ["POST", "PUT", "GET", "DELETE", "PATCH", OPTIONS"]
        max_age:       3600
    paths:
        '^/': ~

I found that clear the cache with a terminal can solved the issue :

rm -rf var/cache/*

But this configuration works on one of my two computers, the VM is the same... I still don't know why...

[rafiquljislam]

Try this It works for me

npm i js-cookie
import Cookies from 'js-cookie'

const csrftoken = Cookies.get('csrftoken') // Cookies from Django Domain

    const loginRequest = async () => {
        await Axios({
            method: "post",
            url: `/api/api-auth/login/`,
            headers: { 'X-CSRFToken': csrftoken },
            data: {}
        }).then((res) => {
            console.log(res.data);
        })
    }

[nurhesen]

I was working on the same error for 2 hours then i realized i just had to add a slash after the link. From http://127.0.0.1:8000/api/login_check to http://127.0.0.1:8000/api/login_check/