How to fix "Cross-Origin Request Blocked" Errors?

beansbaxter

Verified User
Joined
Mar 17, 2004
Messages
218
Location
WA
Need some help with CORS on an Apache DA system,

Website keeps giving this error:

Code:
(Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400.

How to fix this? I've searched the forums and online, tried different things in .htaccess but still getting this error.

If it matters, I'm running the latest DA with Apache 2.4

Any help would be greatly appreciated.

Thank you.
 
Last edited:
I followed these instructions:


And restarted DA, but that did not work. I've tried different lines in the public_html/.htaccess but that's not working

Looking at the browser console errors:

Code:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at...

(Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400.

Any idea how to fix this?
 
Not sure within what context you are wanting this.

And the DirectAdmin documentation linked can be an example of how vague DirectAdmin documentation can be. Not sure how old that documentation is, but it does note version 1.43.0 - and we're at 1.641 now... so not sure if that documentation is even still relevant.

If you are wanting to add a Access-Control-Allow-Origin header to a page, why not just add a Access-Control-Allow-Origin header with PHP?

header("Access-Control-Allow-Origin: %origin%");

Add that to the top of the PHP file being accessed (so that it gets added to the headers).

Or... perhaps I'm missing something?
 
That's not working...

Does DA install mod_headers when it does a default Apache install for CentOS?

Looking in /etc/httpd/conf/httpd.conf

And I don't see anything about mod_headers
 
Ok, I see headers. Looks like DA does install it by default...

Code:
[root@server ~]# httpd -M
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_dbm_module (static)
 authn_anon_module (static)
 authn_dbd_module (static)
 authn_socache_module (static)
 authn_core_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_dbm_module (static)
 authz_owner_module (static)
 authz_dbd_module (static)
 authz_core_module (static)
 access_compat_module (static)
 auth_basic_module (static)
 auth_form_module (static)
 auth_digest_module (static)
 allowmethods_module (static)
 file_cache_module (static)
 cache_module (static)
 cache_disk_module (static)
 cache_socache_module (static)
 socache_shmcb_module (static)
 socache_dbm_module (static)
 socache_memcache_module (static)
 socache_redis_module (static)
 so_module (static)
 watchdog_module (static)
 macro_module (static)
 dbd_module (static)
 dumpio_module (static)
 buffer_module (static)
 ratelimit_module (static)
 reqtimeout_module (static)
 ext_filter_module (static)
 request_module (static)
 include_module (static)
 filter_module (static)
 substitute_module (static)
 sed_module (static)
 deflate_module (static)
 http_module (static)
 mime_module (static)
 log_config_module (static)
 log_debug_module (static)
 logio_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 unique_id_module (static)
 setenvif_module (static)
 version_module (static)
 remoteip_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_http_module (static)
 proxy_fcgi_module (static)
 proxy_scgi_module (static)
 proxy_uwsgi_module (static)
 proxy_fdpass_module (static)
 proxy_wstunnel_module (static)
 proxy_ajp_module (static)
 proxy_balancer_module (static)
 proxy_express_module (static)
 proxy_hcheck_module (static)
 session_module (static)
 session_cookie_module (static)
 session_dbd_module (static)
 slotmem_shm_module (static)
 ssl_module (static)
 http2_module (static)
 lbmethod_byrequests_module (static)
 lbmethod_bytraffic_module (static)
 lbmethod_bybusyness_module (static)
 lbmethod_heartbeat_module (static)
 unixd_module (static)
 systemd_module (static)
 dav_module (static)
 status_module (static)
 autoindex_module (static)
 info_module (static)
 suexec_module (static)
 cgi_module (static)
 dav_fs_module (static)
 dav_lock_module (static)
 vhost_alias_module (static)
 negotiation_module (static)
 dir_module (static)
 actions_module (static)
 speling_module (static)
 userdir_module (static)
 alias_module (static)
 rewrite_module (static)
 mpm_event_module (shared)
 
Ok, I see headers in the above output. Nice to see this confirmation.

This is what I've tried to add this CORS header:

Option 1 - Domain Level

DA, User Access, added to .htaccess:

Code:
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

That did not work.

Option 2 - Admin Level

DA, Admin Access, Custom HTTPD Configurations, httpd.conf for the domain, Customize, added:

Code:
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

Restarted Apache.

That did not work.

What else can I try?
 
Option 3 - Apache Config

SSH, edited /etc/httpd/conf/httpd.conf and added:

Code:
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

Restarted Apache.

That did not work.
 
Option 4 - Apache Config

SSH, edited /etc/httpd/conf/httpd.conf and added:

Code:
<Directory /home/user/domains/domain.com/public_html>
   Header set Access-Control-Allow-Origin "*"
</Directory>

Restarted Apache.

That did not work.
 
target request ? or Other website request to your server is blocked ?
 
Figured out the problem. Following up, in case this happens to someone else...

Default DA installation for Apache is fine. Only thing you need to do on the server is your choice of both options listed in post 7 of this thread. It doesn't matter which one you do, just do one of them.

The reason I was having a problem was because of Cloudflare. The origin server may show one thing, but Cloudflare was showing something different. The solution for Cloudflare is to go into Transform Rules, and add a Response Header modification. Clear your cache, purge everything, and then you're good to go.

All good now... the geek in me was going crazy trying to find a solution ?
 
Figured out the problem. Following up, in case this happens to someone else...

Default DA installation for Apache is fine. Only thing you need to do on the server is your choice of both options listed in post 7 of this thread. It doesn't matter which one you do, just do one of them.

The reason I was having a problem was because of Cloudflare. The origin server may show one thing, but Cloudflare was showing something different. The solution for Cloudflare is to go into Transform Rules, and add a Response Header modification. Clear your cache, purge everything, and then you're good to go.

All good now... the geek in me was going crazy trying to find a solution ?
Is this the same issue or something different? I'm also using cloudflare. I'm already 3 days deep but can't find the solution.
 
Back
Top