Bug: Access-Control-Allow-Origin not being sent

I have HTTP functions that return data to various other Wix sites. They have all stopped working and I’ve determined this is because Access-Control-Allow-Origin is not being sent.

case ‘homepage-calendar’:
response.body = await getHomepageCalendar();
response.headers[‘X-Access-Control-Allow-Origin’] = ""; //this is sent
response.headers[‘Access-Control-Allow-Origin’] = '
'; //this isn’t
return ok(response);

As per comments, a custom header gets sent, but the CORS header does not.

Is anyone else getting this? This has always worked, but now doesn’t.

2 Likes

Have a read of options from the HTTP Function section.
https://www.wix.com/corvid/reference/wix-http-functions.html
https://www.wix.com/corvid/reference/wix-http-functions.html#options

There are other pages that will help you too.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://www.w3.org/wiki/CORS_Enabled
https://www.html5rocks.com/en/tutorials/cors/
https://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work
https://www.moxio.com/blog/12/how-to-make-a-cross-domain-request-in-javascript-using-cors

I don’t think I’m confused about how it works. I used many of those resources months ago and it has been working since then up until this weekend/today. I mean just looking at the code I pasted, wouldn’t you agree both should get sent? (The first one isn’t supposed to do anything, it’s just a non-standard X- header intended to illustrate that I’m declaring headers correctly and that some but not all are getting sent.)

I tested a barebones example on a different site and could see it continues to work normally, so I copied and pasted all my code from the broken site to the new site and… it works fine.

What am I supposed to do about that? It really needs to be served from the right domain.

Okay, definitely a bug. The original code does work - only when loaded through the username.wixsite.com address. Accessing the same site through its associated domain the header gets scrubbed.

Really frustrating waste of a morning.

I’ve not submitted this to support because that tends to be met with the most basic of troubleshooting steps no matter how specific and thorough you are in the ticket (and that’s before you involve code).

Can someone explain why my headers are getting scrubbed depending on whether you access from username.wixsite.com or own domain? Again, the screenshot shows the same site, same code returning different results.

export async function get_ourladystchad(request)
{
  const response = { "headers": { "Content-Type": "application/json" } };
 
  switch(request.headers.origin)
  {
  case 'http://localhost:9000':
  case 'https://ourladyandstchad.squarespace.com':
    response.headers["Access-Control-Allow-Origin"] = request.headers.origin;
    break;

  default:
    response.headers["Access-Control-Allow-Origin"] = "https://www.olsc.org.uk";
  }

 switch (request.path[0])
 {
 case 'homepage-calendar':
   response.body = await getHomepageCalendar();
   return ok(response);

  case 'whole-calendar':
    response.body = await getWholeCalendar();
    return ok(response);

  case 'twitter':
    response.body = await outputTimeline('OurLadyStChad', 'extended', null, '/assets/logo.png');
    return ok(response);

 /*case 'twitter-raw':
    response.body = await fetchTimeline('OurLadyStChad');
    return ok(response);*/

  default:
    return unknownOperation(response);
  }
}

I’m seeing the same thing here. It is frustrating they just started getting scrubbed without warning. Other headers are making it through. Can we get some sort of official stance on this @givemeawhisky or @yisrael-wix ?

https://www.wix.com/corvid/forum/community-discussion/corvid-stripping-cors-headers

I’ve contacted support to see if they can investigate and at least determine if this is a bug or an intentional change by Wix. If it is intentional, I need to migrate off of Wix and Corvid ASAP to get my sites working again. Has anyone else gotten an update?

I basically got a canned response that was basically the same as https://www.wix.com/corvid/forum/main/comment/5dc94d82e9d7cd0017b97acc as a reply from support. I clarified my request and hopefully it gets escalated to someone who can provide an official answer about the change.

Although today, it looks like “Access-Control-Allow-Methods” is being allowed through, but all others are still being blocked.

:tada::tada::tada::tada::tada:
It looks like they stopped scraping the headers. CORS is back!