-3

Im with error in request

Access to XMLHttpRequest at 'http://myapi/page.cfm' from origin 'http://127.0.0.1:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

In 127.0.0.1 on the index page.cfm I have a link

which loads an image at 127.0.0.1/index.cfm.

In the mscript file.js I have the mentioned code that calls a page through page.cfm which does a validation and returns the image with a link to open another page. page.cfm would be the API

Part of my code file.js:

 let xhr = new XMLHttpRequest();
url = 'myapi/page.cfm';
     xhr.open("POST", url, true);
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.setRequestHeader('Access-Control-Allow-Origin', '*');
    xhr.setRequestHeader('Access-Control-Allow-Methods', 'GET,OPTIONS,PATCH,DELETE,POST,PUT');
    xhr.setRequestHeader('Access-Control-Allow-Headers', 'X-CSRF-Token, X-Requested-With, Accept, Accept-     Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, Authorization');
    xhr.setRequestHeader('Access-Control-Allow-Credentials', 'true');
    xhr.setRequestHeader('Accept', '*/*');
xhr.onreadystatechange = function () {
        if (xhr.readyState === 4 && xhr.status === 200) {
               addImageBase64();

}



Could you tell me why it keeps giving origin error when it has already been set Access-Control-Allow-Origin?

Thanks

Carmem
  • 1
  • 1
  • The `Access-Control-Allow-Origin` header is used by the page you send the request to—in this case, the API. If `myapi/page.cfm` doesn't send a _response_ with this header, CORS is blocked. It doesn't matter whether the localhost server uses the header—that's not where it's used. – Someone Aug 10 '23 at 23:08
  • There are hundreds of similar questions here. What research have you done? – Barmar Aug 10 '23 at 23:08
  • `Response to preflight` usually means that you've failed to write code on the server to properly handle the `OPTIONS` request method that is used for CORS preflight - and also don't put response headers in a request as mentioned above - to reiterate, CORS is controlled by the *server* not the *client* (browser) – Jaromanda X Aug 10 '23 at 23:18

0 Answers0