Bug: Access-Control-Allow-Origin not being sent

lee1 · November 11, 2019, 11:32am

I have HTTP functions that return data to various other Wix sites. They have all stopped working and I’ve determined this is because Access-Control-Allow-Origin is not being sent.

case ‘homepage-calendar’:
response.body = await getHomepageCalendar();
response.headers[‘X-Access-Control-Allow-Origin’] = ""; //this is sent
response.headers[‘Access-Control-Allow-Origin’] = ''; //this isn’t
return ok(response);

As per comments, a custom header gets sent, but the CORS header does not.

Is anyone else getting this? This has always worked, but now doesn’t.

givemeawhisky · November 11, 2019, 12:01pm

Have a read of options from the HTTP Function section.
https://www.wix.com/corvid/reference/wix-http-functions.html
https://www.wix.com/corvid/reference/wix-http-functions.html#options

There are other pages that will help you too.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://www.w3.org/wiki/CORS_Enabled
https://www.html5rocks.com/en/tutorials/cors/
https://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work
https://www.moxio.com/blog/12/how-to-make-a-cross-domain-request-in-javascript-using-cors

lee1 · November 11, 2019, 12:20pm

I don’t think I’m confused about how it works. I used many of those resources months ago and it has been working since then up until this weekend/today. I mean just looking at the code I pasted, wouldn’t you agree both should get sent? (The first one isn’t supposed to do anything, it’s just a non-standard X- header intended to illustrate that I’m declaring headers correctly and that some but not all are getting sent.)

lee1 · November 11, 2019, 1:08pm

I tested a barebones example on a different site and could see it continues to work normally, so I copied and pasted all my code from the broken site to the new site and… it works fine.

What am I supposed to do about that? It really needs to be served from the right domain.

lee1 · November 11, 2019, 1:50pm

Okay, definitely a bug. The original code does work - only when loaded through the username.wixsite.com address. Accessing the same site through its associated domain the header gets scrubbed.

Really frustrating waste of a morning.

lee1 · November 12, 2019, 2:42pm

I’ve not submitted this to support because that tends to be met with the most basic of troubleshooting steps no matter how specific and thorough you are in the ticket (and that’s before you involve code).

Can someone explain why my headers are getting scrubbed depending on whether you access from username.wixsite.com or own domain? Again, the screenshot shows the same site, same code returning different results.

export async function get_ourladystchad(request)
{
  const response = { "headers": { "Content-Type": "application/json" } };
 
  switch(request.headers.origin)
  {
  case 'http://localhost:9000':
  case 'https://ourladyandstchad.squarespace.com':
    response.headers["Access-Control-Allow-Origin"] = request.headers.origin;
    break;

  default:
    response.headers["Access-Control-Allow-Origin"] = "https://www.olsc.org.uk";
  }

 switch (request.path[0])
 {
 case 'homepage-calendar':
   response.body = await getHomepageCalendar();
   return ok(response);

  case 'whole-calendar':
    response.body = await getWholeCalendar();
    return ok(response);

  case 'twitter':
    response.body = await outputTimeline('OurLadyStChad', 'extended', null, '/assets/logo.png');
    return ok(response);

 /*case 'twitter-raw':
    response.body = await fetchTimeline('OurLadyStChad');
    return ok(response);*/

  default:
    return unknownOperation(response);
  }
}

nickvhockey13 · November 12, 2019, 3:32pm

I’m seeing the same thing here. It is frustrating they just started getting scrubbed without warning. Other headers are making it through. Can we get some sort of official stance on this @givemeawhisky or @yisrael-wix ?

https://www.wix.com/corvid/forum/community-discussion/corvid-stripping-cors-headers

nickvhockey13 · November 12, 2019, 10:26pm

I’ve contacted support to see if they can investigate and at least determine if this is a bug or an intentional change by Wix. If it is intentional, I need to migrate off of Wix and Corvid ASAP to get my sites working again. Has anyone else gotten an update?

nickvhockey13 · November 13, 2019, 3:45pm

I basically got a canned response that was basically the same as https://www.wix.com/corvid/forum/main/comment/5dc94d82e9d7cd0017b97acc as a reply from support. I clarified my request and hopefully it gets escalated to someone who can provide an official answer about the change.

Although today, it looks like “Access-Control-Allow-Methods” is being allowed through, but all others are still being blocked.

nickvhockey13 · November 13, 2019, 3:47pm

It looks like they stopped scraping the headers. CORS is back!

Topic		Replies	Views
Removing CORS headers, AGAIN? Ask the community code , question	4	317	November 19, 2019
FYI: CORS headers are being blocked again Ask the community code , question	6	283	December 6, 2019
blocked by CORS error Ask the community code , question	6	1272	February 20, 2020
CORS issue (?) with http-functions Ask the community code , question	3	509	May 25, 2020
Access to XMLHttpRequest to "wix page" from origin "external site" Ask the community code , question	4	614	July 16, 2021

Bug: Access-Control-Allow-Origin not being sent

Related topics