Mautic Community Forums

Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers. (CORS )

I have a main domain and a subdomain (where actual mautic is installed), unfortunately, I have a cross-origin HTTP request problem if mautic is setup within a subdomain. When I load the example.com I get the following errors in Safari Console:

Code:
Failed to load resource: Origin https://example.com is not allowed by Access-Control-Allow-Origin. XMLHttpRequest cannot load https://subdomain.example.com/mtc. Origin https://example.com is not allowed by Access-Control-Allow-Origin.

Which make sense for security reason.

So, I add
Code:
header set Access-Control-Allow-Origin: https://example.com
to https://subdomain.example.com
Code:
/etc/httpd/conf/httpd.conf
file. Thanks to this article about CORS on MDN. But, now I get the following error:
Code:
Failed to load resource: Credentials flag is true, but Access-Control-Allow-Credentials is not "true". MLHttpRequest cannot load https://subdomain.example.com/mtc. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".

Then, I add
Code:
header set Access-Control-Allow-Credentials: true
to
Code:
/etc/httpd/conf/httpd.conf
file. But I still get an error:
Code:
Failed to load resource: Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers. XMLHttpRequest cannot load https://subdomain.example.com/mtc. Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers.

And, this is where I'm stuck, Can someone help me? Thanks in advance.

I have a main domain and a subdomain (where actual mautic is installed), unfortunately, I have a cross-origin HTTP request problem if mautic is setup within a subdomain. When I load the example.com I get the following errors in Safari Console:

Failed to load resource: Origin https://example.com is not allowed by Access-Control-Allow-Origin. XMLHttpRequest cannot load https://subdomain.example.com/mtc. Origin https://example.com is not allowed by Access-Control-Allow-Origin.

Which make sense for security reason.

So, I add header set Access-Control-Allow-Origin: https://example.com to https://subdomain.example.com /etc/httpd/conf/httpd.conf file. Thanks to this article about CORS on MDN. But, now I get the following error:

Failed to load resource: Credentials flag is true, but Access-Control-Allow-Credentials is not "true". MLHttpRequest cannot load https://subdomain.example.com/mtc. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".

Then, I add header set Access-Control-Allow-Credentials: true to /etc/httpd/conf/httpd.conf file. But I still get an error:

Failed to load resource: Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers. XMLHttpRequest cannot load https://subdomain.example.com/mtc. Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers.

And, this is where I’m stuck, Can someone help me? Thanks in advance.

I find the solution to this issue. What you need to do is set the Origin, Headers, and Credentials. I miss the “Headers” section which I didn’t specify in my httpd.conf. Here is the complete configuration:

Header set Access-Control-Allow-Origin: https://example.com Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept" Header set Access-Control-Allow-Credentials: true

Farhadd, where exactly have you put this headers in httpd.conf? I tried putting these lines in the bottom of the document but with no success.