Access-control-allow-origin header missing in response header

cduruk · July 15, 2021, 10:27pm

I am using a Docker based HTTP service and it seems like my responses are missing some headers.

When I run my service locally, these are my headers:

➜  ~ curl -I -S -X GET "http://localhost:3000/public.fires.json"      

HTTP/1.1 200 OK
content-length: 307
content-type: application/json
access-control-allow-origin: *
date: Thu, 15 Jul 2021 22:20:26 GMT

However, the response headers are missing the critical access-control-allow-origin header, which I need for CORS compliance, when I run the same service in Render:

➜  ~ curl -s -I -X GET "https://martin.onrender.com/public.fires.json"

HTTP/2 200 
content-type: application/json
date: Thu, 15 Jul 2021 22:21:09 GMT
server: Render

My Dockerfile for this service is as simple as they come:

FROM urbica/martin:latest

Thanks in advance.

cduruk · July 16, 2021, 5:11am

Did some sleuthing on this: not sure if this is the issue but seemingly someone else ran into this with Martin before. (Martin is a Rust based tileserver that uses Actix)

This is a theory (and I have no way to test this) but given the fix in the Github issue seems to be including an Nginx rule to forward the the protocol, it seems plausible that Render terminating HTTPS connections to be HTTP within its network could be an issue.

But that seems hella weird to me. But so is Render mangling with the outgoing response headers from Martin.

John_Beynon · July 16, 2021, 2:37pm

what if you include an origin in your cURL request?

curl -s -I -X GET "https://martin.onrender.com/public.fires.json" -H "Origin: localhost"

cduruk · July 16, 2021, 2:57pm

It doesn’t help, unfortunately.

➜  ~ curl -s -I -X GET "https://martin.onrender.com/public.fires.json" -H "Origin: localhost"
HTTP/2 200 
access-control-allow-origin: localhost
content-type: application/json
date: Fri, 16 Jul 2021 14:57:01 GMT
server: Render
vary: Origin

I don’t think you can set that header via JS anyway, even if it did work, that’d not help me.

John_Beynon · July 20, 2021, 12:02pm

you shouldn’t need to set the header, the browser would add it for you based on the site your loading the JS on:

eg https://www.test-cors.org/#?client_method=GET&client_credentials=false&server_url=https%3A%2F%2Fmartin.onrender.com%2Fpublic.fires.json&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote

Open up the network inspector before you send the request - on the request to your json the browser has added the origin: www.test-cors.org

Topic		Replies	Views
Unexpected HTTP/1.x request	2	1094	December 27, 2022
My external HTTP requests fail on my deployed Render web service	2	335	April 4, 2023
Running Java Spring Boot + React in Docker container on Web Services	2	448	March 27, 2024
Request blocked by CORS policy	4	659	November 8, 2023
Github activities automation runs in local but not in render.com	3	80	April 2, 2024

Access-control-allow-origin header missing in response header

Related Topics