Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OPTIONS not handled when Origin header is present

See original GitHub issue

Bug report

NextJS simply ignores any OPTIONS request that has Origin in the header and won’t execute the function.

Describe the bug

After Following the documentation and implementing the middleware to handle cors, it seems seems like it gets triggered ONLY when there’s no Origin header in the OPTIONS request.

In other words, put a console.log at the beginning of the function (before cors middleware). Send an OPTIONS request without Origin in the headers, see the log. Now add Origin (any value) and the log doesn’t even show up. The function was not executed.

To Reproduce

Start with a fresh NextJS app
Follow the documentation
Use Postman to send an OPTIONS request and see the cors middleware returning the right response
Add Origin in the headers (to simluate a browser) and watch as the api function doesn’t get called.

Expected behavior

NextJS should allow me to handle CORS requests.

Screenshots

System information

OS: macOS
Browser Postman (or any browser)
Version of Next.js: 9.3.5
Version of Node.js: 13.8.0

Additional context

I already submitted an issue here https://github.com/zeit/next.js/issues/11478 but it was swiftly closed.

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:7 (2 by maintainers)

Top GitHub Comments

3reactions

seveibarcommented, Feb 17, 2022

I created a reproduction of NextJS rewriting CORS here: https://github.com/hello-seam/nextjs-rewrites-break-cors/tree/main

This is problematic for companies leveraging NextJS for APIs

3reactions

kawmracommented, Jun 30, 2021

I found the codes causing this bug.

https://github.com/vercel/next.js/blob/6cd1c874519b615ee5ca246c2497e166fc969a5f/packages/next/server/hot-reloader.ts#L57-L67

This function doesn’t consider rewrite rules and simply adds fixed CORS headers.

The problem only occurs on the dev server with rewrite rules that rewrite non-API paths to API paths, so you can workaround the problem by starting the server (next build && next start) instead of starting the dev server (next dev).

Top Results From Across the Web

Fixing "No 'Access-Control-Allow-Origin' Header Present"

This error occurs when a script on your website/web app attempts to make a request to a resource that isn't configured to accept...

No 'Access-Control-Allow-Origin' header is present on the ...

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin...

Cross-Origin Resource Sharing (CORS) - MDN Web Docs

Note: As described below, the actual POST request does not include the Access-Control-Request-* headers; they are needed only for the OPTIONS ...

Resolve the "No 'Access-Control-Allow-Origin' header" error ...

How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront? Last updated: 2022-06-16.

Enabling Cross Origin Requests for a RESTful Web Service

The browser will fail the request if the CORS headers are missing from the response. To test the CORS behaviour, you need to...