Blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

Hi,

I am trying to access api from apache server, ERPNext and custom website are both on different domains and servers,

I’ve added following code in nginx.conf and after that i restart nginx and server too, but error is still the same.

also both are not secured, serving on http://

anybody??

Solved by using allow_guest = True parameter.

Where did you put it?

before defining function

@frappe.whitelist(allow_guest = True)

I think after allow_guest to any method that will public for all i mean not require login. Anybody can access that method so it is not useful when work on any confidential data like payment or something

for this i changed this in my nginx.conf

  upstream frappe-bench-frappe {
	server 127.0.0.1:8000 fail_timeout=0;
}

upstream frappe-bench-socketio-server {
	server 127.0.0.1:9000 fail_timeout=0;
}



# setup maps


# server blocks





server {
	listen 80;
	server_name
		site1.local
		;

	root /home/frappe/frappe-bench/sites;

	add_header X-Frame-Options "SAMEORIGIN";

	location /assets {
		try_files $uri =404;
	}

	location ~ ^/protected/(.*) {
		internal;
		try_files /site1.local/$1 =404;
	}

	location /socket.io {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Frappe-Site-Name site1.local;
		proxy_set_header Origin $scheme://$http_host;
		proxy_set_header Host $host;

		proxy_pass http://frappe-bench-socketio-server;
	}

	location / {

		location ~ ^/files/.*.(htm|html|svg|xml) {
			add_header Content-disposition "attachment";
			try_files /site1.local/public/$uri @webserver;
		}
		try_files /site1.local/public/$uri @webserver;

		
	}

	location @webserver {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Frappe-Site-Name site1.local;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;
		
		set $cors '';
		if ($http_origin ~ '^https?://(localhost:8080)') {
				set $cors 'true';
		}

		if ($cors = 'true') {
				add_header 'Access-Control-Allow-Origin' "$http_origin" always;
				#add_header 'Access-Control-Allow-Credentials' 'true' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
				add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
				# required to be able to read Authorization header in frontend
				#add_header 'Access-Control-Expose-Headers' 'Authorization' always;
		}

		if ($request_method = 'OPTIONS') {
			add_header 'Access-Control-Allow-Origin' "$http_origin" always;
				add_header 'Access-Control-Allow-Credentials' 'true' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
				add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
				# required to be able to read Authorization header in frontend
				#add_header 'Access-Control-Expose-Headers' 'Authorization' always;
				# Tell client that this pre-flight info is valid for 20 days
				add_header 'Access-Control-Max-Age' 1728000;
				add_header 'Content-Type' 'text/plain charset=UTF-8';
				add_header 'Content-Length' 0;
				return 204;
		}


		proxy_pass  http://frappe-bench-frappe;
	}

	# error pages
	error_page 502 /502.html;
	location /502.html {
		root /home/frappe/.bench/bench/config/templates;
		internal;
	}

	# optimizations
	sendfile on;
	keepalive_timeout 15;
	client_max_body_size 50m;
	client_body_buffer_size 16K;
	client_header_buffer_size 1k;

	# enable gzip compresion
	# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
	gzip on;
	gzip_http_version 1.1;
	gzip_comp_level 5;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_vary on;
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/font-woff
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component
		;
		# text/html is always compressed by HttpGzipModule

}
3 Likes

can you send your whole nginx config ? I seem meet the same problem, thanks.

Hi,
I’m using the Dockerf Swarm single site installation. I m trying to connect to a 3rd party server using a client script.

I used console in Portainer to edit /etc/nginx/conf.d/default.conf to add the script published by @revant_one at Frappe CORS for nginx · GitHub

But when I restart the container all the changes disappear.

Any idea about where and how to add this script (or the allow_guest workaround) when ERPNEXT in DockerSwarm environment ?

Thanks,

which version of ERPNext are you using?

check the allow_cors property in site_config.json