CORS Problems out of the Blue

4.2.0 all of a sudden we started seeing CORS issues. Tried to disable CORS totally and this did nothing.

Has anyone experienced something similar ?

We are on 4.4.0 and we have multiple different Mautic forms on external webpage. We are not having any issues.

Check browser console to see if there any hint as to why you are having issue.

Thanks. Yes in console I can see that there are CORS issues. The strange thing is that nothing has happened or changed in our version of Mautic. All of a sudden on the 16 June all tracking stopped and forms stopped working.

Then it’s likely this need to be corrected in htaccess .

But for a quick fix, you can try by going to your Mautic configuration and under CORS Setting → toggle the Restrict domain to No

nothing has changed in .htaccess and server is running NGINX. Already tried disabling CORS, still does not work, also cleared cache.

if the browser console said it’s a CORS issue then it’s the CORS issue …

NGINX … curious, have you set allowed CORS in NGINX config file?

To be honest I am not that familiar with the configuration, however once again nothing changed it just stopped working.

here is my mautic.conf file

server {
  server_name mymautic.com;
   root /var/www/mautic;
   error_log /var/log/nginx/mautic.error;
   access_log /var/log/nginx/mautic.access;
   client_max_body_size 20M;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     # try to serve file directly, fallback to app.php
     try_files $uri /index.php$is_args$args;
   }

   location ~ /(mtc.js|1.js|8.js|9.js|7.js|.*\.js|mtracking.gif|.*\.gif|mtc) {
       # default_type "application/javascript";
       try_files $uri /index.php$is_args$args;
   }

   # redirect some entire folders
     rewrite ^/(vendor|translations|build)/.* /index.php break;

   location ~ \.php$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999


   }

   location ~* ^/index.php {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
   }

    # Deny everything else in /app folder except Assets folder in bundles
    location ~ /app/bundles/.*/Assets/ {
        allow all;
        access_log off;
    }
    location ~ /app/ { deny all; }

    # Deny everything else in /addons or /plugins folder except Assets folder in bundles
    location ~ /(addons|plugins)/.*/Assets/ {
        allow all;
        access_log off;
    }
    # location ~ /(addons|plugins)/ { deny all; }

    # Deny all php files in themes folder
      location ~* ^/themes/(.*)\.php {
        deny all;
    }

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;
    }

    # Deny yml, twig, markdown, init file access
    location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to any files with a .php extension in the uploads directory
        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
    }
     # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mymautic.com/fullchain.pem; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mymautic.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mymautic.com/privkey.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mymautic.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


    ssl_trusted_certificate /etc/letsencrypt/live/mymautic.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}
server {
    if ($host = mymautic.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


   listen 80;
   listen [::]:80;
   server_name mymautic.com;

   root /var/www/mautic;
   error_log /var/log/nginx/mautic.error;
   access_log /var/log/nginx/mautic.access;
   client_max_body_size 20M;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     # try to serve file directly, fallback to app.php
     try_files $uri /index.php$is_args$args;
   }

   location ~ /(mtc.js|1.js|8.js|.*\.js|mtracking.gif|.*\.gif|mtc) {
       # default_type "application/javascript";
       try_files $uri /index.php$is_args$args;
   }

   # redirect some entire folders
     rewrite ^/(vendor|translations|build)/.* /index.php break;

   location ~ \.php$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999
   }

   location ~* ^/index.php {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
   }
    # Deny everything else in /app folder except Assets folder in bundles
    location ~ /app/bundles/.*/Assets/ {
        allow all;
        access_log off;
    }
    location ~ /app/ { deny all; }

    # Deny everything else in /addons or /plugins folder except Assets folder in bundles
    location ~ /(addons|plugins)/.*/Assets/ {
        allow all;
        access_log off;
    }
    # location ~ /(addons|plugins)/ { deny all; }

    # Deny all php files in themes folder
      location ~* ^/themes/(.*)\.php {
        deny all;
    }

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;
    }

    # Deny yml, twig, markdown, init file access
    location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to any files with a .php extension in the uploads directory
        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
    }
    # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }




}

Will be sure cool if you can point me in the correct direction if my conf file is not correct

Never worked with NGINX config before. I learned of this by Googling to see if needed to be configured for CORS and read up that it does. I was curious myself.

From what read, this will open up to all domain if it added into the config

add_header Access-Control-Allow-Origin *;

Try that first and restart NGINX then test it. If that fixes it then replace it with a config that is specific to your domains only. One line per domain.

add_header Access-Control-Allow-Origin "yourdomains.com";

1 Like

Did you clear Mautic cache after disabling CORS in configuration setting?

yes I did - thanks

I have tried both solutions above and nothing is working. Does not matter if I turn CORS off/ON change everything and still getting the console error:

Access to XMLHttpRequest at 'https://mymauitc.com/mtc/event' from origin 'https://mywordpress.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://mywordpress.com,(http://mywordpress.com).com', but only one is allowed.

It says only one is allowed, but before I was supporting multiple sites and using @joeyk Multidomain plugin as well.

I also found this post initially but nothing is helping here: Issues with CORS when trying to configure Mautic 3 and NGinx

and a good reference is : How to Enable CORS in Apache and Nginx?

However I have a hunch that Mautic is somehow ignoring these settings from the local.php file for some reason…

Send them a DM and see what they did to resolve it… I know post is old however doesn’t hurt to DM

Is it data exchange with a wp site? Any wordfence like evil plugin running?

Nope nothing bad is installed recently and no word fence… going to take a big chance and do an upgrade to 4.4.0 and see if that makes a difference.

We have 4.4.0 in production for couple of clients, no screaming yet.

updated to 4.4.0 and same behaviour.

Weird thing is the forms are showing, but on submit it just hangs

Console error:

Uncaught DOMException: Blocked a frame with origin "https://mymautic.com" from accessing a cross-origin frame.
    at HTMLDocument.<anonymous> (https://mymautic.com/media/js/app.js?v178a5420:274:162)
    at mightThrow (https://mymautic.com/media/js/libraries.js?v178a5420:355:18)
    at process (https://mymautic.com/media/js/libraries.js?v178a5420:357:89)

So I have gone back to basics now.

I went and preview the form and filled it out inside mautic and got this.

Then I went and created a new form and everything worked on Preview.

I took the form and added it both using wp mautic short code and it did not work.

I added the javascript and on submit I get to the internal error page :“Uh oh! I think I broke it. If I do it again, please report me to the system administrator!”

Totally stumped on this one :frowning:

so I remmebered there was a post to hide the calendar which used myscript.js (How hide calendar menu item - #3 by robm)

So I went and put this back to the way it should be, i.e. original Mautic file and I am getting the following console error:

Failed to load resource: the server responded with a status of 500 () submit:1

In the log the only error I am seeing (and I am not sure this is related as this is a high traffic site) is the following:

2022/06/30 07:44:59 [error] 1325325#1325325: *11445 FastCGI sent in stderr: "PHP message: PHP Notice:  SessionHandler::gc(): ps_files_cleanup_dir: opendir(/var/lib/php/sessions) failed: Permission denied (13) in /var/www/mautic/vendor/symfony/http-foundation/Session/Storage/Handler/StrictSessionHandler.php on line 106" while reading response header from upstream, client: 11.11.111.11, server: mymaiutic.com, request: "PATCH /api/contacts/411274/edit HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "mymaiutic.com"

Although I checked this contact id and it is an actual user so I do not think this error is related.

checking in Firefox and seeing the following in the console: