CORS Policy not working

Ankesh Anand

I am trying to setup nodebb-plugin-fusionauth-oidc but I am getting the following error:

Access to fetch at 'https://DOMAIN/.well-known/openid-configuration' from origin 'https://DOMAIN2' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I am using NGINX reverse proxy for SSL. I have tried this configuration in NGINX conf:

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        #CORS
        if ($request_method = 'OPTIONS') {
                add_header 'Access-Control-Allow-Origin' '*';

                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

                add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Content-Type' 'text/plain charset=UTF-8';
                add_header 'Content-Length' 0;
                return 204;
        }
        if ($request_method = 'POST') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        }
        if ($request_method = 'GET') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
             }
    }

as someone mentioned this wildcard works but I didn't in my case.
I tried adding * and DOMAIN in Access-Control-Allow-Origin in Settings > Advanced
but still receiving the same CORS error.

I am running NodeBB v1.19.8.

PitaJ

@Ankesh-Anand setting ACAO to "*" is pretty dangerous, so we don't allow that to be set in the ACP (we ignore the setting if it's set to the wildcard). Nginx should be able to override that, but I don't think you need to.

Which domain is your site? DOMAIN or DOMAIN2? The ACAO header needs to be set on DOMAIN, not DOMAIN2.

julian

Yeah it sounds like if NodeBB can't retrieve the .well-known configuration from the other site, then it's the other site's headers that need adjusting I think?