This page contains a list of common issues that can be encountered when setting up CORS and Corsica. These issues are not necessarily specific to Corsica but they bubble up in the Corsica issue tracker often enough to justify talking about them in the documentation.
When attempting to perform a CORS request to your server, your browser might log the following error in the console:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'example.com' is therefore not allowed access.
This is a generic response that means your server is not allowing the CORS request. Some common reasons that can cause this are listed below.
The Corsica plug is lower than the handling router in your plug pipeline. In order to be able to add CORS headers to responses and handle preflight requests, the Corsica plug (either with
plug Corsicaor as the router generated by
use Corsica.Router) must be higher in the plug pipeline than plugs that send a response down the connection.
The server doesn't recognize the origin (the browser's current URL) as an allowed origin. Check the
http://localhost:8100, then the
:originsoption must contain
http://localhost:8100(or "*" to allow anything). Read the documentation for the
Corsicamodule for more information on the possible values of the
The server doesn't allow the headers that the client is requesting. The client (such as the browser) can ask to use certain headers by sending a list of such headers in the
Allow-Control-Request-Headersheader included in the preflight request. For example, the client could ask to use
Allow-Control-Request-Headers: Content-Type, Accept. The server (specifically, Corsica in this case) must respond to the preflight request and allow those headers by specifying them in the response
Access-Control-Allow-Headersheader. You can use the
:allow_headersoption passed to Corsica. In the example above, you would have to pass something like
allow_headers: ["content-type", "accept"].