I am getting no CORS header set, even though it is set. Why?

Question

I'm getting this CORS error when trying to download an image (but I get the same error with any URL):

Access to XMLHttpRequest at 'https://s.iha.com/00144228146/Paimpol-Lighthouse-of-the-peacock-on-the-island-of-brehat-near-paimpol.jpeg' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I am running an ExpressJS server, with Parcel Bundler:

const app = express();


app.use(cors());


app.use(bodyParser.urlencoded({
    extended: false
}));
app.use(bodyParser.json());
app.use(morgan('dev'));

const http = require('http').Server(app);

http.listen(port);

app.use(bundler.middleware());

As you can see above, I've tried Express's cors() plugin and I've tried manually setting the headers myself like so:

    app.use((req, res, next) => {
            res.setHeader('Access-Control-Allow-Origin', '*');
            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
            res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type');
            res.setHeader('Access-Control-Allow-Credentials', true);

            next();

However, no matter what I've tried. I still get this same No 'Access-Control-Allow-Origin' header is present on the requested resource error.

In Chrome I can see these headers set:

Something isn't matching up and I haven't figured out what. Any help would be very appreciated!

Answer 1

The error you're getting is not coming from your server: http://localhost:3000 but from: https://s.iha.com/.

Don't issue an AJAX request, just serve the image using <img> tag.

You can download from your server, to avoid CORS issues, or just hit a server that has CORS enabled.