Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'

See original GitHub issue

Not sure why I’m getting this error when trying to allow CORS on my flask app. Here’s my server:

#library imports
from flask import Flask
from flask_cors import CORS, cross_origin

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*"}})
app.config['CORS_HEADERS'] = 'Content-Type'

@app.route('/img', methods=['POST'])
def image_upload():
    if not request.json:
        abort(400)
    print(request.json)
    return jsonify('working')

if __name__ == "__main__":
    app.run(host= "0.0.0.0", debug=True, port = 5000, threaded=True)
    print("Running dev server on port 5000")

Now on my frontend, when I attempt to make a POST request to /img, I get the error in the title. The full error is:

XMLHttpRequest cannot load http://0.0.0.0:5000/img. Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’. Origin ‘http://localhost:8080’ is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:1
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

28reactions
Syntafcommented, Apr 2, 2017

Update: Adding the following code works, is there a way to do this with flask-cors so I don’t need to ways of allowing cross-origin?

@app.after_request
def after_request(response):
  response.headers.add('Access-Control-Allow-Origin', 'http://localhost:8080')
  response.headers.add('Access-Control-Allow-Headers', 'Content-Type,Authorization')
  response.headers.add('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS')
  response.headers.add('Access-Control-Allow-Credentials', 'true')
  return response
21reactions
ghostcommented, Dec 19, 2019

@corydolphin I have the same error. I have built na application and If I test request using Postman or Insonia it works normally, the application receive the requests and store the data in the session / database, but if I try to make a request from a React application using Axios I receive an error and the application doesn’t receive any request or store data.

Error :

Failed to load 127.0.0.1:5000/logout : Response to preflight request doesn't pass access control check : The value of the ' Access-Control-Allow-Credentials ' header in the response is ' ' which must be ' true ' when the request's credentials mode is ' include '. Origin ' localhost:8080 ' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Flask application config :

# Imports

from flask import Flask

from flask_cors import CORS

# Cors

config = {
  'ORIGINS': [
    'http://localhost:8080',  # React
    'http://127.0.0.1:8080',  # React
  ],

  'SECRET_KEY': '...'
}

# App

app = Flask('Test')

CORS(app, resources={ r'/*': {'origins': config['ORIGINS']}}, supports_credentials=True)

Request in React :

axios({
  method: 'post',
  url: `127.0.0.1:5000/logout`,
  headers: {Authorization: `Bearer ${this.state.login.access_token}`},
  withCredentials: true // True otherwise I receive another error
}).then(response => {
  console.log('Logout ', response);
})

I have also research but I don’t know how to solve this.

Obs ¹ : I’m using server side session (Flask Session)

Obs ² : The other error is a 500. It happens because I try to get something from session to make the logout, but the attribute is not found in session (if I make the request with the tool I mentioned, it works fine).

Read more comments on GitHub >

github_iconTop Results From Across the Web

The credentials mode of requests initiated by ... - Stack Overflow
The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. One of the request is like this ...
Read more >
Yii2 does not send Access-Control-Allow-Headers in preflight ...
I extend ActiveController and set CORS filter in my application ... is not allowed by Access-Control-Allow-Headers in preflight response.
Read more >
CORS policy | Apigee X - Google Cloud
Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to the Access-Control-Allow-Credentials ...
Read more >
Authorization Code OAuth flow for SharePoint Add-ins
This section summarizes the OAuth authentication and authorization flow for a SharePoint add-in requesting permissions on the fly. The flow is ...
Read more >
Error has been blocked by CORS policy: No 'Access-Control ...
My webapp API is running, and use OAuth with Spring-security to manage authentication with Salesforce OAuth2. Everything is OK if i'am using the ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Using flask-cors with flask-restful and @before_request decorator for jwt auth

Next page

Version 3.0.0 Release?