Access-Control-Allow-Origin is not recognized by Chrome

Question

I understand CORS and how to set the appropriate Access-Control-* headers on a server response. The problem I'm finding is that even though my server is responding with Access-Control-Allow-Origin:*, Chrome is refusing to accept the response.

OPTIONS request:

OPTIONS /api/shows/1 HTTP/1.1
Host: *****
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Access-Control-Request-Headers: accept, platform, version
Accept: */*
Referer: http://local host:8888/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Content-Type: */*
Content-Encoding: gzip
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, Platform, Version
Access-Control-Allow-Methods: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 03 Oct 2014 19:07:28 GMT

In the debug console, Chrome displays:

XMLHttpRequest cannot load http://****/api/shows/1. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'localhost:8888' is therefore not allowed access.

Obviously, there is an Access-Control-Allow-Origin in the response, but for some reason Chrome thinks it is invalid? Is there a condition where I cannot use the wildcard for this response?

Thanks in advance!

Answer 1

Go to the “Desktop” select the “Google chrome” icon and “right click” on it, then go to its “Properties”

Here in Properties find the input box with label “Target” in this box the location of chrome is given as follows.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:/someFolderName"

Finally, launch the Chrome freshly to see a pop-up with yellow colour on the top of the screen

source: https://www.thegeekstuff.com/2016/09/disable-same-origin-policy/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%253A+TheGeekStuff+(The+Geek+Stuff)

good luck

Answer 2

In this case, I solved the issue by also including the Access-Control-* headers in the GET response as well. Based on my understanding of the spec, this should not be required, but the problem was resolved this way.

If anyone has an explanation for this I would love to hear it

Answer 3

Access-Control-Request-Headers are case sensitive... accept should be Accept