0

Trying to understand and debug an issue with a CORS setup on WebAPI 2. My front-end angular/javascript application communicates with my API at

http://api.example.com/api/items/GetAll

which sometimes returns the following error:

The 'Access-Control-Allow-Origin' header has a value 'http://example.com' that is not equal to the supplied origin. Origin 'http://www.example.com' is therefore not allowed access.

Testing the api link on Fiddler returns the following in the headers:

Access-Control-Allow-Origin: http://example.com

Why would this happen and how do I address this situation?

Improve this question
3
  • it's pretty clear, on one side you have http://example.com and on the other you have http://www.example.com (note the www). these are not the same origin. nor is api.example.com which seems like it's more likely what is in one of these changed errors. Commented Aug 24, 2016 at 21:19
  • yes but my question is: why is example.com being returned in the header although my API is being called from www.example.com? Commented Aug 24, 2016 at 21:26
  • it's impossible for anyone to know why your code is returning an incorrect result without any sort of minimal reproducible example. Commented Aug 24, 2016 at 21:27

1 Answer 1

Reset to default
1

It appears that you have calls to both types of domain/URL in your client-side code.

Based on that assumption, CORS should be specified for both domains i.e.

http://example.com 
http://www.example.com

References:

  1. https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
  2. Access-Control-Allow-Origin wildcard subdomains, ports and protocols
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.