Cloudflare doesnt proxy all the headers when i do a xhr get request with axios. Its so annyoing. And thats why i get the cors error because the allow origin header is not present
#Headers [ Cors Error]
livid cobalt
Im currently writing a site on a domain lets say dog.com.
My api is running on cat.com.
im using express for my api and set the cors headers too this
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
next();
});
so cat.com should always return this headers when requesting the base endpoint on cat.com/api/
so for example when a user currently on dog.com does a async xhr get request to cat.com/api/data
i get a cors error
if i look at the response of the failed request i dont see the cors header so it is ofc denied
i disabled cache and also disable all security, ddos protection, bot shield, custom rules
everyhing but it still doesnt work
This thing is always in my way and i dont now how to solve it
everytime i see this error i just quit
is it normal that cloudflare doesnt return all headers?
Headers [ Cors Error]
strong galleon
Cloudflare won't touch your cors headers at all
I'm sure you'd see the same result by visiting your site directly, avoiding cloudflare entirely
strong galleon
Do you have a URL I can see?
livid cobalt
Do you have a URL I can see?
strong galleon
I see cors headers being returned there
livid cobalt
I see cors headers being returned there
ye
strong galleon
Do you have a URL where the cors headers are missing, and you're expecting them?
strong galleon
I also see them there
strong galleon
I can't reproduce this at all
livid cobalt
I can't reproduce this at all
?
strong galleon
The headers are always present for me
livid cobalt
if you do a xhr?
strong galleon
Yes
strong galleon
It's probably more useful for you to send your code (and the full cors error)
Since you're the one experiencing the error
livid cobalt
useEffect(() => {
axios.get("https://scrape.ovh/api/holy/data", {
}).then((res) => {
console.log(res.data);
}).catch((err) => {
console.log(err);
return;
}
)
}, []);
i did this for a simple request
strong galleon
What about the full cors error?
strong galleon
That's odd
It seems to be responding with a redirect to itself 🤔
Yeah, when I fetch it without cors, it's redirecting to itself infinitely
Something odd is going on here, likely between cloudflare and your origin
livid cobalt
what the hell
strong galleon
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls Which SSL setting do you have here?
My guess is it's on Flexible?
livid cobalt
yes
i have reverse proxy behind cloudflare
so its a reverse proxy with cloudflare
strong galleon
Does your reverse proxy support https? It might be redirecting to that
livid cobalt
ye
strong galleon
Could you try setting the ssl mode to full, and see if that changes anything?
livid cobalt
i changed it
strong galleon
Hmm, it's still redirecting to itself for some reason 🤔
livid cobalt
yes thats the funny thing
look the manifest.json on the same site redirects itself too
solemn zealot
yea I don't think it would be ssl/tls setting, just scanning over this, because the location header doesn't include the scheme
On the error response, there is no x-powered-by Express header like on a successful request, but there is the proxy headers, so whatever proxy you are using seems to be doing a redirect
strong galleon
Oh that's odd - now it's 404ing instead of 302ing
livid cobalt
i will redirect cloudflare directly to my backend
without using the proxy
hows that?
but i think it will be the same thing
because why would the proxy not add the cors header but everything else is fine
doesnt make much sense for me
solemn zealot
the proxy isn't adding the cors header because the cors headers are being set in Express, and the proxy is performing a redirect without contacting express
the erroneous redirect by your reverse proxy is the issue, not cors/express
livid cobalt
but why is it doing that? it seems like it redirects xhr requests?
the proxy has a protection against ddos attacks using a cookie that it sets after the user is validated
solemn zealot
how does it "validate the user"?
livid cobalt
are you familiar with go?
solemn zealot
no
livid cobalt
sorry i mean go
solemn zealot
still no lol, although closer as I know c#, go is semi-readable to me, why do you ask?
livid cobalt
the proxy is written in go maybe you could have a look. I think it redirects because of the cookie that is not present on the requests?
somehow it doesnt read the cookie https://pneumonoultramicroscopicsilicovolcanoconiosis.club/hj0J7fSQ
when doing a xhr request
thats the only thing i could think about
solemn zealot
The validate the user/ddos protection does sound like something that could be redirecting/requiring cookies
CORS works special with cookies, not sending them by default without special config I believe: https://stackoverflow.com/a/46412839/20285117
livid cobalt
yep
its probably because of the SameSite thing
it should be none
i did this
now it does a preflight request
with options
i still get the cors error
the same thing
solemn zealot
the prelight request needs to return cors headers I believe, and can't be wildcard
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
The value "*" only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name "*" without special semantics. Note that the Authorization header can't be wildcarded and always needs to be listed explicitly.
``
solemn zealot
Or set them in apache/your reverse proxy
livid cobalt
will it work when i install the cors proxy on the same server?
WAIT A SEC
OH NO
NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
solemn zealot
lol what'd you do
