support home

Back to website
Welcome
Login  Sign up
Solved

[Consent Solution] Request fails because of CORS

The same happens on production sites.

Access to XMLHttpRequest at 'https://consent.iubenda.com/beta/public/consent' from origin 'https://cdpn.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

We're using Iubenda consent solution to register the GDPR consents, this is critical.

  • Hi Michele,


    I would like to let you know that our development team has already fixed the issue you reported, so now everything should be working fine with no issues!


    We appreciate your contribution in reporting in detail the issue you were dealing with.


    Best,



    Sara


    iubenda


  • I can confirm the headers which are now sent in the OPTIONS response request allow for the POST /consent request to occur.


    Thank you


    Have a nice day

  • When a request fails due to CORS (Cross-Origin Resource Sharing), it means that the web browser is blocking the request because the resource being accessed is located on a different domain than the one making the request. CORS is a security feature built into web browsers that helps prevent malicious websites from accessing resources on other websites without permission.

    To resolve this issue, you will need to modify the server-side code to include the appropriate CORS headers in the response to the client's request. The CORS headers will inform the browser that the server is willing to accept requests from other domains.

    The headers that need to be added to the response include:

    Access-Control-Allow-Origin: This header specifies the domain(s) that are allowed to access the resource. You can set this to "*" to allow any domain to access the resource, or you can specify a specific domain.

    Access-Control-Allow-Methods: This header specifies the HTTP methods that are allowed for the request. For example, "GET, POST, OPTIONS" would allow GET, POST, and OPTIONS requests.

    Access-Control-Allow-Headers: This header specifies the custom headers that are allowed for the request. For example, if the client is sending an Authorization header, you would need to include that header in this list.

    Access-Control-Max-Age: This header specifies how long the results of the preflight request (an initial request sent to check if the server is willing to accept the actual request) can be cached.

    Here's an example of how to set the CORS headers in a Node.js server response: 

    app.use(function(req, res, next) {
      res.setHeader('Access-Control-Allow-Origin', '*');
      res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
      res.setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
      res.setHeader('Access-Control-Max-Age', '86400');
      next();
    });
    

     This middleware will set the CORS headers for all requests to the server. You may need to adjust the values based on your specific requirements.

    Once the server has been updated to include the appropriate CORS headers, the client's request should be able to access the resource without being blocked by the browser.

  • Thanks for your help

  • Yes I konw it

  • Thank you

  • Yes

  • Thank you Sara

  • thank you

Login or Signup to post a comment