blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Thu Sep 19, 2019 6:44 pm

Hi,

Yesterday i installed a SSL certificate on my new store. Everything worked fine. However today i cannot add anything to my shopping basket, add to wishlist or compare list. The icons are also not displaying.

In the console:

Code: Select all

jquery-2.1.1.min.js:4 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://mozaiekdesign.nl/index.php?route=account/wishlist/add with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.
send @ jquery-2.1.1.min.js:4
ajax @ jquery-2.1.1.min.js:4
add @ common.js:274
onclick @ (index):250
(index):1 Access to XMLHttpRequest at 'https://mozaiekdesign.nl/index.php?route=checkout/cart/add' from origin 'https://www.mozaiekdesign.nl' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Like i said it worked yesterday and haven't touched in since. My /config in root and admin are adapted to say https . In Admin i set HTTPS. The SSL was installed by my host. I assume that went ok? I get no certificate erros when i click on the lock ikon in by browers. It says Certificate OK
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Thu Sep 19, 2019 8:14 pm

I have set the following:

root:

// HTTP
define('HTTP_SERVER', 'http://mozaiekdesign.nl/');

// HTTPS
define('HTTPS_SERVER', 'https://mozaiekdesign.nl/');

admin:

// HTTP
define('HTTP_SERVER', 'http://mozaiekdesign.nl/admin/');
define('HTTP_CATALOG', 'http://mozaiekdesign.nl/');

// HTTPS
define('HTTPS_SERVER', 'https://mozaiekdesign.nl/admin/');
define('HTTPS_CATALOG', 'https://mozaiekdesign.nl/');

.htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://mozaiekdesign.nl/$1 [R=301,L]

Goes wrong:

http://mozaiekdesign.nl
https://mozaiekdesign.nl

Goes right:

mozaiekdesign.nl
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by letxobnav » Thu Sep 19, 2019 9:22 pm

well, not an ssl issue, but a cross origin issue between www and non-www domain.
'https://mozaiekdesign.nl/index.php?rout ... t/cart/add' from origin 'https://www.mozaiekdesign.nl' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
But I think that has been solved already, clear your browser cache.

I would use:

Code: Select all

// HTTP
define('HTTP_SERVER', 'https://mozaiekdesign.nl/');
// HTTPS
define('HTTPS_SERVER', 'https://mozaiekdesign.nl/');

admin:
// HTTP
define('HTTP_SERVER', 'https://mozaiekdesign.nl/admin/');
define('HTTP_CATALOG', 'https://mozaiekdesign.nl/');
// HTTPS
define('HTTPS_SERVER', 'https://mozaiekdesign.nl/admin/');
define('HTTPS_CATALOG', 'https://mozaiekdesign.nl/');
All https as you are directing the browsers to go to https anyway with your HSTS header so now the browser does a constant 307 internal redirect from http to https on every page request which is a waste.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.

User avatar
letxobnav
Expert Member
Posts
3264
Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Thu Sep 19, 2019 10:24 pm

I've changed both config files to https for all.

It's not the browser cache. I've already tried that and it happens on my mobile as well (I usually use a private window for testing anyway)

Problem is still there

root:

// HTTP
define('HTTP_SERVER', 'https://mozaiekdesign.nl/');

// HTTPS
define('HTTPS_SERVER', 'https://mozaiekdesign.nl/');


admin

// HTTP
define('HTTP_SERVER', 'https://mozaiekdesign.nl/admin/');
define('HTTP_CATALOG', 'https://mozaiekdesign.nl/');

// HTTPS
define('HTTPS_SERVER', 'https://mozaiekdesign.nl/admin/');
define('HTTPS_CATALOG', 'https://mozaiekdesign.nl/');
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Thu Sep 19, 2019 10:30 pm

When i manually remove the www in the URL is works. You are definately on to something.

However when i type mozaiekdesign.nl it adds www automatically...
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by letxobnav » Fri Sep 20, 2019 8:18 am

However when i type mozaiekdesign.nl it adds www automatically...
not from here, clear you browser.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.

User avatar
letxobnav
Expert Member
Posts
3264
Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Thu Sep 26, 2019 1:35 am

It's not solved and it's not my browser.....

I asked my host. They agreed there is a problem.

Code: Select all

Hi,

Thank you for contacting us. Browsers only load fonts from the actual domain by default, due to security reasons. In your case you are trying to load the fonts from the site https://www.mozaiekdesign.nl where the actual URL is https://mozaiekdesign.nl. That is the reason chrome is blocking your site.Please check the below screenshots for more details

https://prnt.sc/pavwqt (with www)
https://prnt.sc/pavwyd (without www)

Also, please check the images under the products in below screenshots

https://puu.sh/Elf5C/c9f9a70860.png (non www site. You can see heart symbol)
https://puu.sh/Elf64/f54e055f7a.png (www site. Heart and other symbols are missing)

[b]To resolve this issue you need to adjust the CSS to make those load from the https:// NON WWW version of the site[/b]. Please feel free to contact us if you have any questions.

Thank you !
I'm hoping there is finally some help from this forum... How to solve this?
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by ADD Creative » Fri Sep 27, 2019 2:37 am

The problem looks like your redirects in your .htaccess. You are not redirecting www.mozaiekdesign.nl to mozaiekdesign.nl correctly for when using a HSTS header.

Try changing the following.

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://mozaiekdesign.nl/$1 [R=301,L]
To.

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTP_HOST} !^mozaiekdesign\.nl$ [NC]
RewriteRule ^(.*)$ https://mozaiekdesign.nl/$1 [E=HTTPS,R=301,L]

www.add-creative.co.uk

ADD Creative
Expert Member
Posts
4633
Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Fri Sep 27, 2019 3:09 am

This seems to solve the problem thanks!

I noticed it always removes the www from the url. Is that supposed to be like that? I would prefer to keep the www but i can live without it.

But my site now completely works again regardless of how you type the URL thank you very much :)
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by ADD Creative » Fri Sep 27, 2019 3:43 am

Yes, it's supposed to remove the www. You can configure it the other way around if you want. You would have to ensure that your SSL certificate includes the www version of your domain, set your OpenCart config.php files to use the www version and change the redirect code in htaccess to also use the www version.

It would also be best to inform Google and other search engines that you are using the www version (Google currently has the non-www version indexed).

Also, the latest version of Chrome 76 now hides the www part of a domain in the address bar. So to be honest, I don't think it's worth the effort.

www.add-creative.co.uk

ADD Creative
Expert Member
Posts
4633
Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Top

Re: blocked by CORS policy: Response to preflight request doesn't pass access control check

Quote

Post by Eveline_2 » Fri Sep 27, 2019 3:47 am

I'll keep it like that then. Thanks :)
Eveline_2
New member
Posts
36
Joined
Tue Aug 27, 2019 10:52 pm
Top
Post Reply
Return to “Installation, Upgrade, & Config Support”
Who is online

Users browsing this forum: No registered users and 66 guests