Reason

Reason: CORS header 'Access-Control-Allow-Origin' missing

What went wrong?

The response to theCORS request is missing the requiredAccess-Control-Allow-Origin header, which is used to determine whetheror not the resource can be accessed by content operating within the current origin.

If the server is under your control, add the origin of the requesting site to the setof domains permitted access by adding it to theAccess-Control-Allow-Originheader's value.

For example, to allow a site athttps://example.com to access the resource using CORS,the header should be:

Access-Control-Allow-Origin: https://example.com

You can also configure a site to allow any site to access it by using the* wildcard. You should only use this for public APIs. Private APIs shouldnever use*, and should instead have a specific domain or domains set. Inaddition, the wildcard only works for requests made with thecrossorigin attribute set toanonymous, and it preventssending credentials like cookies in requests.

Access-Control-Allow-Origin: *

To allow any site to make CORS requestswithout using the*wildcard (for example, to enable credentials), your server must read the value of therequest'sOrigin header and use that value to setAccess-Control-Allow-Origin, and must also set aVary: Originheader to indicate that some headers are being set dynamically depending on the origin.

Examples for common web servers

The exact directive for setting headers depends on your web server.

In the examples below,

InApache (docs), add aline such as the following to the server's configuration (within the appropriate<Directory>,<Location>,<Files>, or<VirtualHost> section). Theconfiguration is typically found in a.conf file (httpd.confandapache.conf are common names for these), or in an.htaccess file:

Header set Access-Control-Allow-Origin 'https://example.com'

ForNginx (docs), the command to set up this header is:

add_header 'Access-Control-Allow-Origin' 'https://example.com' always;

See also

• CORS errors
• Glossary:CORS
• CORS introduction