CORS Issues 4.4.4

Your software
My Mautic version is: 4.4.4
My PHP version is: 7.4
My Database type and version is: mariadb

Your problem
My problem is:

I am getting that mautic is being blocked by CORS policy when I have CORS enabled, however if I disable CORS I see no errors in the console log.

These errors are showing in the log:
In the console Log:

Access to XMLHttpRequest at 'https://mymauitc.com/mtc/event' from origin 'https://clientsite.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains the invalid value ''.
mtc.js:9          POST https://mymauitc.com/mtc/event net::ERR_FAILED 200
MauticJS.makeCORSRequest @ mtc.js:9
m.deliverPageEvent @ mtc.js:86
m.sendPageview @ mtc.js:92
(anonymous) @ mtc.js:93
MauticJS.dispatchEvent @ mtc.js:11
value @ mtc.js:24
w.<computed> @ ?lang=en:136
window.onload @ ?lang=en:141
load (async)
(anonymous) @ ?lang=en:140

Steps I have tried to fix the problem:

I have confirmed that inside Configuration -? System Settings - CORS Settings:
Retrict Domains is toggled to Yes and inside Valid Domains, I have all variations of site to enable:
http://123site123.com
https://123site123.com
http://www.123site123.com
https://www.123site.com

I have also gone and confirmed that inside /var/www/mautic/app/config/local.php has the following:

'cors_restrict_domains' => 1,
        'cors_valid_domains' => array(
                '0' => 'http://site.com/',
                '1' => 'https://site.com/',
                '2' => 'http://www.site.com/',
                '3' => 'https://www.site.com/'
        ),

Inside web server mautic logs I am not seeing any errors only entries in the access log:

31.6.3.228 - - [04/Jan/2023:09:10:52 +0000] "GET /mtc.js HTTP/2.0" 200 100674 "https://www.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
31.6.3.228 - - [04/Jan/2023:09:10:55 +0000] "OPTIONS /mtc/event HTTP/2.0" 204 0 "https://www.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
31.6.3.228 - - [04/Jan/2023:09:10:55 +0000] "GET /mtracking.gif?page_title=Page%20-%20New%20One&page_language=en-US&preferred_locale=en_US&page_referrer= www.site.com&page_url=https%3A%2F%2F www.site.com%2Fpromotions%2F%3Flang%3Den&counter=0&timezone_offset=-120&resolution=1920x1080&platform=MacOS&do_not_track=false&timezone=Asia%2FJerusalem&mautic_device_id=79sdnlh8et1t1802zfei6zi&email=409%40tets.com&unique_player_id=10978368&tags=Triomphe HTTP/2.0" 200 43 "https://www.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

Try whitelisting the domains on server (nginx, apache) level as well.

hey @mzagmajster - thanks for the info.

Few things:

  1. How would I do this on nginx ? do you have example of .conf file
  2. Any idea why this could be happening, we usually have no issues with CORS on other instances.

I’ve also had this issue pop up from time to time and at the moment have one site that has a Cors issue and another that doesn’t and the sites appear to be configured exactly the same and haven’t been able to determine why.

Elsewhere in the forum, there is a note to update .htaccess in the mautic root to enable CORS as well, I’m sure a quick search will turn that up.

In my case, I’ve added new CNAMES for the domain that Mautic is on in DNS and that seems to have addressed the issue.

The primary reason I did it was for multi site tracking with 1st party cookies per @joeyk 's great video on why you should do this, but I believe it should also make the CORS issue go away permanently as well.

The video is well worth a watch.

In my case, I have Mautic on https://mymautic.com, which is completely different than the public facing domains.

I created CNAME DNS records as below and changed the site settings in Wordpress to use those new CNAME domains. All covered in Joey’s step by step in the video.

ie:
CNAME mautic.site1.commymautic.com
CNAME mautic.site2.commymautic.com

This seems to have resolved the issue.

Happens when cors is enabled,
and have you added the domians to the list near the cors setting?

Yes this was added, it seems to be an issue that occurs randomly with some setups

Last week I had a similar issue maybe even the same and after many tests I added this to the we.config of the IIS on windows server - it is like the htaccess.

It solved the problem.

    <cors enabled="true" failUnlistedOrigins="true">
        <add origin="https://*.example.com" allowCredentials="true" maxAge="120">
            <allowHeaders allowAllRequestedHeaders="true">
            </allowHeaders>
        </add>
    </cors>