(index):1 Access to XMLHttpRequest at ‘https://api.hoge.info/v1/top’ from origin ‘http://www.hoge.co.jp’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
And an error has occurred.
However, when I confirmed it with the following command
It is described like this.
Is it because “access-control-request-method: GET” is not attached to the header?
Isn’t this something that is automatically attached when communicating with a browser?
As you can see from the error message
access-control-allow-origin: http://www.hoge.co.jp
The access source is restricted to http://www.hoge.co.jp as shown in.
If the address of the Unity WebGL app is http: // localhost: xxxx, it will be blocked.
There are two possible methods
Ask the API provider to add your Unity WebGL app domain, or
Have the restrictions lifted (access-control-allow-origin: *)
This request will be rejected because it may be restricted for some reason.
Instead of using a command line curl call to try to reproduce the same conditions after the fact, try looking at the exact OPTIONS request that goes out, by using the browser Network tab. That should show what the actual communication was that occurred. Sometimes browser diagnostics messages about CORS requirements have not been 100% accurate, so seeing the actual communications that took place can help rule out conditions.
Even if you use the Chrome extension “CORS Uninstall”
Access to XMLHttpRequest at’https://api.hoge.info/v1/top’ from origin’http://www.hoge.co.jp’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: It does not have HTTP ok status.
Error occurs and communication is not possible.
When you check with the Curl command, you have confirmed that the communication is successful.
Since it is communication using UnityWebRequest, we recognize that it is possible to communicate with WebGL.
Is the cause on the application side?
Do you know any other cause?
The error display on the console is as follows.
(index):1 Access to XMLHttpRequest at ‘https://api.hoge.info/v1/top’ from origin ‘http://www.hoge.co.jp’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
The first issue is that the server replies with a HTTP Status of 403 (Forbidden) to the OPTIONS header. Refer to Nginx documentation on how to change the server to not forbid OPTIONS requests. E.g. enable cross-origin resource sharing might help?
However then looking at the HTTP Request, it has the following:
That, uh…, looks like garbage. Why is the web page requesting the server for a permission to specify HTTP Response Headers as part of a HTTP Request?
Are you manually adding in HTTP Response headers “access-control-allow-credentials,access-control-allow-headers,access-control-allow-methods,access-control-allow-origin” to the HTTP Request somewhere? If so, remove those headers from the HTTP Request - they are not HTTP Request headers and should not be there. If you are not doing that, then we should figure out who/what is. That looks very incorrect code.
Also, I do not see any “real” HTTP Request headers in that access-control-request-headers list, which suggests that maybe you are not even intending to do a preflighted CORS request in the first place, so the OPTIONS request should not even be need to be sent here?
Thank you very much.
After correcting the pointed out part, I confirmed that communication was possible.
However, when performing OAuth2 communication for login
I received the response, and the following error was displayed on the console.
The added header will be the one set at the time of the smartphone terminal.
Is it necessary to set up a dedicated CORS communication for OAuth2 communication as well?
I’m sorry to trouble you, but it would be very helpful if you could borrow your wisdom.
That is, the server api.hoge.info is configured to disallow cross-origin HTTP POST requests with the header set “authorization,content-type,x-hoge-env,x-hoge-terminal-id,x-requested-with”.
To be correct, the server api.hoge.info should be configured to instead return something like follows:
Request URL: https://api.hoge.info/v1/oauth2/token
Request Method: OPTIONS
Status Code: 204 No Content
Remote Address: xxx.xxx.xxx.xxx:xxx
Referrer Policy: strict-origin-when-cross-origin
I see a lot of changing headers. Where am I supposed to do this at? Inside of by google bucket I have it done, is there supposed to be another place I need to change headers? A specific script in Unity possibly?
I don’t have experience with Google Bucket, but if you haven’t read through these already: https://cloud.google.com/storage/docs/configuring-cors https://cloud.google.com/storage/docs/cross-origin
I use UnityWebRequest.Post with PHP and that has worked as a cross-platform solution (WebGL, Win64 and Android so far), aside from also needing the .htaccess for Addressables …in particular to support WebGL being hosted on one server with bundles loaded from another via remote catalog. There was nothing special that had to be done in C# or JS, the CORS errors I’ve dealt with all ended up being server-side issues.
If you’re asking where specifically in a PHP file, just at the top of any you want to communicate with:
The second image you’ve posted mentions several other headers, which would be added in the same way. Personally I’ve only needed Access-Control-Allow-Origin to get things working… which is with web hosting+SSL certificate due to other requirements I have that pretty much rule out any free alternatives (i.e. databases, FFMPEG, etc.). I haven’t dug into this aspect of deployment/CORS beyond that / can’t think of anything else to mention or suggest.
