Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'

Reason

Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'

What went wrong?

Simply put, the origin making the request does not match any of the origins permitted by the  Access-Control-Allow-Origin header.

This error can also occur if the response includes more than one Access-Control-Allow-Origin header.

If the service your code is accessing using a CORS request is under your control, make sure that it's configured to include your origin in its Access-Control-Allow-Origin header, and that only one such header is included in responses. The header itself accepts a comma-delineated list of origins, so adding a new origin is not difficult.

For example, in Apache, add a line such as the following to the server's configuration (within the appropriate <Directory>, <Location>, <Files>, or <VirtualHost> section). The configuration is typically found in a .conf file (httpd.conf and apache.conf are common names for these), or in an .htaccess file.

Header set Access-Control-Allow-Origin 'origin-list'

For Nginx, the command to set up this header is:

add_header 'Access-Control-Allow-Origin' 'origin-list'

See also

Sujets associés
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. Feature policy
  17. References:
  18. HTTP headers
    1. Accept
    2. Accept-Charset
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Ranges
    6. Access-Control-Allow-Credentials
    7. Access-Control-Allow-Headers
    8. Access-Control-Allow-Methods
    9. Access-Control-Allow-Origin
    10. Access-Control-Expose-Headers
    11. Access-Control-Max-Age
    12. Access-Control-Request-Headers
    13. Access-Control-Request-Method
    14. Age
    15. Allow
    16. Alt-Svc
    17. Authorization
    18. Cache-Control
    19. Clear-Site-Data
    20. Connection
    21. Content-Disposition
    22. Content-Encoding
    23. Content-Language
    24. Content-Length
    25. Content-Location
    26. Content-Range
    27. Content-Security-Policy
    28. Content-Security-Policy-Report-Only
    29. Content-Type
    30. Cookie
    31. Cookie2
    32. DNT
    33. Date
    34. ETag
    35. Early-Data
    36. Expect
    37. Expect-CT
    38. Expires
    39. Feature-Policy
    40. Forwarded
    41. From
    42. Host
    43. If-Match
    44. If-Modified-Since
    45. If-None-Match
    46. If-Range
    47. If-Unmodified-Since
    48. Index
    49. Keep-Alive
    50. Large-Allocation
    51. Last-Modified
    52. Location
    53. Origin
    54. Pragma
    55. Proxy-Authenticate
    56. Proxy-Authorization
    57. Public-Key-Pins
    58. Public-Key-Pins-Report-Only
    59. Range
    60. Referer
    61. Referrer-Policy
    62. Retry-After
    63. Sec-WebSocket-Accept
    64. Server
    65. Server-Timing
    66. Set-Cookie
    67. Set-Cookie2
    68. SourceMap
    69. Strict-Transport-Security
    70. TE
    71. Timing-Allow-Origin
    72. Tk
    73. Trailer
    74. Transfer-Encoding
    75. Upgrade-Insecure-Requests
    76. User-Agent
    77. Vary
    78. Via
    79. WWW-Authenticate
    80. Warning
    81. X-Content-Type-Options
    82. X-DNS-Prefetch-Control
    83. X-Forwarded-For
    84. X-Forwarded-Host
    85. X-Forwarded-Proto
    86. X-Frame-Options
    87. X-XSS-Protection
  19. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  20. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 200 OK
    4. 201 Created
    5. 202 Accepted
    6. 203 Non-Authoritative Information
    7. 204 No Content
    8. 205 Reset Content
    9. 206 Partial Content
    10. 300 Multiple Choices
    11. 301 Moved Permanently
    12. 302 Found
    13. 303 See Other
    14. 304 Not Modified
    15. 307 Temporary Redirect
    16. 308 Permanent Redirect
    17. 400 Bad Request
    18. 401 Unauthorized
    19. 403 Forbidden
    20. 404 Not Found
    21. 405 Method Not Allowed
    22. 406 Not Acceptable
    23. 407 Proxy Authentication Required
    24. 408 Request Timeout
    25. 409 Conflict
    26. 410 Gone
    27. 411 Length Required
    28. 412 Precondition Failed
    29. 413 Payload Too Large
    30. 414 URI Too Long
    31. 415 Unsupported Media Type
    32. 416 Range Not Satisfiable
    33. 417 Expectation Failed
    34. 418 I'm a teapot
    35. 422 Unprocessable Entity
    36. 425 Too Early
    37. 426 Upgrade Required
    38. 428 Precondition Required
    39. 429 Too Many Requests
    40. 431 Request Header Fields Too Large
    41. 451 Unavailable For Legal Reasons
    42. 500 Internal Server Error
    43. 501 Not Implemented
    44. 502 Bad Gateway
    45. 503 Service Unavailable
    46. 504 Gateway Timeout
    47. 505 HTTP Version Not Supported
    48. 511 Network Authentication Required
  21. CSP directives
    1. CSP: base-uri
    2. CSP: block-all-mixed-content
    3. CSP: child-src
    4. CSP: connect-src
    5. CSP: default-src
    6. CSP: font-src
    7. CSP: form-action
    8. CSP: frame-ancestors
    9. CSP: frame-src
    10. CSP: img-src
    11. CSP: manifest-src
    12. CSP: media-src
    13. CSP: object-src
    14. CSP: plugin-types
    15. CSP: referrer
    16. CSP: report-uri
    17. CSP: require-sri-for
    18. CSP: sandbox
    19. CSP: script-src
    20. CSP: style-src
    21. CSP: upgrade-insecure-requests
    22. CSP: worker-src
    23. report-to
  22. CORS errors
    1. Reason: CORS disabled
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing
    4. Reason: CORS header ‘Origin’ cannot be added
    5. Reason: CORS preflight channel did not succeed
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed
    8. Reason: CORS request not HTTP
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
  23. Feature-Policy directives
    1. Feature-Policy: autoplay
    2. Feature-Policy: camera
    3. Feature-Policy: encrypted-media
    4. Feature-Policy: fullscreen
    5. Feature-Policy: geolocation
    6. Feature-Policy: microphone
    7. Feature-Policy: midi
    8. Feature-Policy: payment
    9. Feature-Policy: vr
    10. document-domain