Comprehensive Guide to CORS Errors: From Preflight Requests to Practical Solutions

Abstract: This technical paper provides an in-depth analysis of common CORS errors in JavaScript development, including 'No Access-Control-Allow-Origin header' and 'Access-Control-Allow-Origin header must not be the wildcard'. Through detailed examination of CORS preflight mechanisms, it offers practical solutions such as using CORS proxies, avoiding preflight triggers, and proper server response header configuration. The paper combines real code examples with server configuration recommendations to provide developers with a complete framework for troubleshooting and resolving cross-origin request issues.

Core Mechanisms of CORS Errors

Cross-Origin Resource Sharing (CORS) is a fundamental security mechanism in modern web development, yet it frequently presents challenges for developers. When browsers detect cross-origin requests, they enforce same-origin policy restrictions, requiring explicit server authorization to complete the request.

Preflight Request Triggers and Handling

Certain types of requests trigger browsers to send preflight OPTIONS requests, which represent a critical component of the CORS mechanism. Typical conditions that activate preflight include using non-simple request methods (such as PUT or DELETE), setting custom headers (like Authorization), or employing specific Content-Types (such as application/json).

The following code example demonstrates proper fetch request construction while avoiding client-side CORS response header settings:

function performSignIn() {
  let headers = new Headers();
  headers.append('Content-Type', 'application/json');
  headers.append('Accept', 'application/json');
  headers.append('Authorization', 'Basic ' + btoa(username + ":" + password));

  fetch(sign_in, {
    credentials: 'include',
    method: 'POST',
    headers: headers
  })
  .then(response => response.json())
  .then(json => console.log(json))
  .catch(error => console.log('Authorization failed: ' + error.message));
}

The key improvement involves removing incorrect Access-Control-Allow-* request header settings, as these should be server response headers rather than client request headers.

CORS Proxy Solutions

When developers lack control over the target server, CORS proxies emerge as effective solutions. By routing requests through intermediate proxy servers that add necessary CORS headers, browsers' same-origin policy restrictions can be circumvented.

Complete deployment process for CORS Anywhere proxy:

git clone https://github.com/Rob--W/cors-anywhere.git
cd cors-anywhere/
npm install
heroku create
git push heroku master

After successful deployment, prefix request URLs with the proxy server address:

https://your-proxy.herokuapp.com/https://target-api.com

The proxy server workflow encompasses: receiving frontend requests, forwarding to target servers, receiving responses, adding CORS headers, and returning to frontend. This approach functions effectively even for complex requests requiring preflight.

Preflight Request Testing and Debugging

Using curl to simulate browser preflight requests represents a crucial debugging technique:

curl -i -X OPTIONS -H "Origin: http://127.0.0.1:3000" \
    -H 'Access-Control-Request-Method: POST' \
    -H 'Access-Control-Request-Headers: Content-Type, Authorization' \
    "https://api.example.com/signin"

Servers must return correct response headers and status codes:

Access-Control-Allow-Origin: http://127.0.0.1:3000
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Content-Type, Authorization

Status codes must belong to the 2xx series (typically 200 or 204), as any other status code will cause preflight failure.

Credentialed Requests and Wildcard Restrictions

When requests include credentials (credentials: 'include'), servers cannot use wildcard * as the Access-Control-Allow-Origin value. Browsers strictly verify whether this header exactly matches the request origin.

Server-side configuration example (nginx):

add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Credentials true;

This configuration dynamically reflects the request's Origin header value, ensuring compliance with credentialed request requirements.

Strategies for Avoiding Preflight Requests

Adjusting request parameters can prevent preflight triggering, thereby simplifying CORS handling:

Use application/x-www-form-urlencoded instead of application/json
Place authentication information in request body rather than Authorization header
Employ simple GET requests instead of complex POST requests

These strategies can significantly reduce CORS configuration complexity in specific scenarios.

Practical Case Analysis

References to multiple real development scenarios, including Figma plugins accessing Jira API, WordPress REST API integration, and cross-origin issues in local development environments, collectively demonstrate the importance of proper CORS configuration. These cases uniformly indicate that correct server-side CORS configuration represents the fundamental approach to resolving cross-origin problems.

During development, avoid using browser plugins to bypass CORS restrictions, as these tools often fail to properly handle complex scenarios like credentialed requests. Professional API testing tools such as Postman are recommended for interface verification, ensuring server-side configuration correctness before frontend integration.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.