Score:0

Server

"CORS Multiple Origin Not Allowed" - using parse-server and apache2

serverNewbie

1/26/23, 8:29 PM

I am using apache2 as a reverse proxy for my parse-server. In order to allow Cross Origin Requests I originally tried setting:

Header always set Access-Control-Allow-Origin "*"

in the apache config file together with:

ProxyPass /parse/ http://localhost:1337/parse/
ProxyPassReverse /parse/ http://localhost:1337/parse/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

After setting this, the requests were successfully forwarded from apache to my parse-server. However now my Webapp throws CORS Multiple Origin Not Allowed.

In the developer console of my browser I can see that this Access-Control-Allow-Origin option is set twice.

I have confirmed that the second instance of this appears due to parse-server. However I can not find a way to either prevent parse-server or apache from setting this option in the response.

I tried changing my initial line in the apache config to:

Header always setifempty Access-Control-Allow-Origin "*"

Header always add Access-Control-Allow-Origin "*"

Header always add Access-Control-Allow-Origin "*"
Header always edit Access-Control-Allow-Origin "^$" "*"

None of these tries changed anything. However removing the Access-Control-Allow-Origin option in the apache config prevents the initial request from getting through to parse-server, so this is not an option.

I am using apache2 version 2.4.29 and parse-server 4.10.3.

Does anyone know a way to get this to work?

1224

0 + 0

reverse-proxy

parse-server

apache-2.4

cors

apache2

Score:2

Server

Moritz

2/5/23, 10:58 AM

First of all, I think it's important to understand a little background on how CORS works:

CORS is validated client-side by the browser.
To verify that an origin (different domain, protocol, or port) is allowed to access another origin a pre-flight request may be issued before the actually Cross-Origin request. This request uses the OPTIONS method and needs to contain the Access-Control headers in the response.

So why am I saying this: I suspect the reason you need to set the Access-Control-Allow-Origin header in the Apache for the request to be "getting through" is that your Apache configuration is not proxying OPTION requests. This leads to the browser getting an unexpected response in the pre-flight requests and throwing a CORS error before even attempting to make the actual request.

Since CORS is validated in the browser the Apache reverse-proxy shouldn't play any role in it. When your backend server (parse-server) is correctly configured to handle CORS requests and sends out the correct Access-Control-* headers everything should be working no matter how many proxies you put in between. That is as long as the proxy forwards all requests.

Alternatively, you may want to "slap on" the CORS configuration in the reverse proxy but that seems unnecessary here. Since you are seeing two Access-Control-Allow-Origin headers in the response, I suspect that the parse-server is in fact already trying to handle the CORS request.

I recommend you first check your Apache configuration and make sure OPTION requests are forwarded to the parse-server. If that shouldn't be it, I'd look at the requests the browser makes in the network tab of the dev tools:

How does the pre-flight request look? Is there even a pre-flight request?
Does it succeed or fail, and with what error?
What are the Access-Control-* response headers on the pre-flight request?
Is the final request issued? What are the response headers on that request?

You can also debug these things by calling the services with curl by setting the origin header.

curl -v -X PUT -H "Origin: https://example.com" https://www.example.org

That way you can simulate requests to your backend service and see what headers it sends.

0 + 0

Score:0

Server

Konstantin Kolinko

2/6/23, 7:09 PM

In the developer console of my browser I can see that this Access-Control-Allow-Origin option is set twice.

Regarding the duplicate headers, I answered a similar question recently on the mailing list.

You have to read the configuration reference for the Header directive carefully to understand what is going on. See around the following text: "it does not offer any "normalized" single list of headers". Essentially, as I am understanding it, onsuccess (default) and always are names of two separate tables (lists) of headers.

Try the following:

Header onsuccess unset Access-Control-Allow-Origin
Header always set Access-Control-Allow-Origin "*"

0 + 0

Vinoth Rc

2/7/23, 11:22 AM

Header set Access-Control-Allow-Origin "*" works

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: "CORS Multiple Origin Not Allowed" - using parse-server and apache2

TH: "ไม่อนุญาตให้ใช้ CORS หลายแหล่งที่มา" - ใช้เซิร์ฟเวอร์แยกวิเคราะห์และ apache2

RO: „CORS Multiple Origin Not Allowed” - folosind parse-server și apache2

RU: «Множественное происхождение CORS не разрешено» — с использованием сервера синтаксического анализа и apache2

VI: "CORS Nhiều nguồn gốc không được phép" - sử dụng máy chủ phân tích cú pháp và apache2

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.