CORS Not working

[AliZaibazr]

getting error:
ww.example.com has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

[AliZaibazr]

At last, after the effort of 3 days, I have removed the fruitcake package and using my own middleware.

[meeran-seers]

[MihailProcudin]

Same here, in my dev env suddenly something happened and now cors warning is firing all the time.
Just cant fix it now ....

[MihailProcudin]

It was just an error in the Model, not related to cors, sorted now.

[sanushen]

Also struggled for the whole weekend. Added custom middleware and it works now.

[Ghustavh97]

Stack: nginx laravel 8

I have no idea if this will help or why it's behaving like this, but for some reason if I send an options request (aka a preflight request) to my root domain path like api.example.com/ I get a 405 Not Allowed from nginx with generic headers that do not contain the Access-Control-Allow headers needed by the browser, even if api.example.com/ is a valid path in my routes/api.php file.

The browser seems not to care about the 405 but the fact that the 405 response has no allow headers at all and will console.log() the annoying message Request header (something-something) is not allowed by Access-Control-Allow-Headers in preflight response.

But

if I send a request to any path that is not root e.g api.example.com/123123123123 EVEN if the path does not exist in routes/api.php the preflight response works and responds with the headers needed by the browser for cors.

Bonus Note

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[minhlong]

Same thing, I removed the fruitcake cors and using my own middleware.

    public function handle(Request $request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Headers', '*');
    }

[romansorin]

Same thing, I removed the fruitcake cors and using my own middleware.

    public function handle(Request $request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Headers', '*');
    }

This did it for me. For whatever reason, using the CORS package didn't work on any routes, even if they were explicitly specified. I don't believe that this solution covers preflight requests appropriately, but it handles most cases.

[wsajjadh]

I had same issues and spent hours of debugging but at last I just run php artisan config:cache and copied the bootstrap/config files to server.

Do not forgot to change your ENV to production settings such as db, keys and etc before running config:cache

Please note that I had this issue when the app is on server. Everything works perfectly in local development.

[fylzero]

Same issue here. The preflight simply does not seem to work for most situations. Nothing I tried would send the headers except adding them in middleware or to the route file manually. There should just be an option to disable preflight and always add the headers - since that is what most of us running into this issue are doing.

cc: @barryvdh