Certainly! Here’s a refined version of your question:

The CORS plugin works perfectly for the root endpoint, but it doesn’t seem to function for requests to https://server/wp-content/uploads/. How can I configure the plugin to handle CORS requests for this specific endpoint?

• This topic was modified 3 months ago by vishwa100.

I am still getting a CORS error after enabling the CORS plugin. I have https://www.shirksllc.com as an allowed website and everything checked true on the plugin.

My front end is shirksllc.com and my wordpress backend is shirksllc.net. This is the error I’m getting https://shirksllc.net/wp-json/jwt-auth/v1/token/validate’ from origin ‘https://www.shirksllc.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

For whitelisted origins, the plugin sends an unknown/invalid response header (“Very”).

Headers.php in enable-cors/trunk/src/Helpers – WordPress Plugin Repository

The correct response header should be “Vary”.

Vary – HTTP | MDN (mozilla.org)

Hi,

The plugin works great, love the UI. When i add the origin to the plugin it works on /wp-json/wp/v2/posts which is the standard posts endpoint for the WP REST API.

But i have a custom one that i made to pull a specific custom post type, but its still failing the CORS test on the test website (and front end).

Ive even added the headers into the function itself, but somehow its not passing it through. Console.log shows the blocked by cors error. But the other default endpoints work. Does anyone know any workarounds to this?

add_action('rest_api_init', function () {
register_rest_route('site/v1', '/all-events/', array(
'methods' => 'GET',
'callback' => 'get_all_events',
'permission_callback' => '__return_true'
));
});

function get_all_events($request) {
// Add CORS headers
$origin = get_http_origin();
$allowed_origins = ['https://clublandkl-next.vercel.app', 'https://localhost:3000', 'https://localhost:3001'];

if ($origin && in_array($origin, $allowed_origins)) {
    header("Access-Control-Allow-Origin: $origin");
    header("Access-Control-Allow-Methods: GET, OPTIONS");
    header("Access-Control-Allow-Headers: Content-Type");
    header("Access-Control-Allow-Credentials: true");
}

// Handle preflight requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    status_header(200);
    exit();
}

Hello,

I’ve installed your plugin and followed the instructions in your video but I my website is still not passing the CORs Tester.

I’ve tried clearing the cache and saving the Permalinks but it makes no difference.

Can you let me know if there is something else that I need to do to get this working?

Thanks in Advance,
Donal

I am trying to establish a CORS policy to access font, but it seems to not configure properly.

For example, see:

https://www.fangoria.com/cf-fonts/s/montserrat/5.0.16/latin/800/normal.woff2

Trying to access from https://link.fangoria.com/x/myjhtK

I’m using this plugin and for the most part it works as expected. But I found that when testing my root domain it will work with GET/POST but not PUT/OPTIONS. In particular I need to be able to enable CORS for OPTIONS.

Any ideas/suggestions for why it’s not working for those request methods?

Even after i install and enable plugin, the cors error still in my site, any help? its my first time using this plugin.

Thanks

Hi, So I am attempting to get cors enabled for https://nicobolt.com/ to send things to https://app.commercebird.com/. I installed the plugin, cleared my cache, and the CORS tester is saying this: https://cors-test.codehappy.dev/?url=https%3A%2F%2Fnicobolt.com%2F&origin=https%3A%2F%2Fapp.commercebird.com%2F&method=get

This URL will only work for specific domains. This url can only be loaded by pages that match?*, *. If you’re trying to load it from a different origin and it’s not working, you’ll need to change it so the?access-control-allow-origin?header is set to?*.

Please advise. Thank you!

I am unable to get this to work – my dropdown areas in the main menu are the number 3 and social icons are showing as boxes. I submitted the URL above in the CORS Tester and I did receive an error that the URL will not work correctly with CORS but I didn’t really understand the reasoning. If you could help me to get this working, I would be forever grateful!

Thank you!

So I believe the plugin is working correctly, but I’m having an issue that I wonder if might know the answer to.

I’m trying to get an image using the Fetch API in a Next.js site, for this I connect to some WordPress sites to get those images. Recently I moved one of this sites from Siteground to Hostinger.

While the configuration is the same in the new hosting I’m not being able to get it to work.
I’ve purged cache countless times, deactivated the plugin and the hosting service cache.

Working fetch for Siteground image:
let img = await fetch(‘https://meril.wolkestudio.com.ar/wp-content/uploads/2024/03/8b666c55-0e64-4ec1-8b4a-fa70ab1d0e30-yusbuq.png’);

Same image, not working on Hostinger:
let img = await fetch(‘https://coral-mosquito-569400.hostingersite.com/wp-content/uploads/2024/03/8b666c55-0e64-4ec1-8b4a-fa70ab1d0e30-yusbuq.png’);

(I’ve left all the CORS configurations activated with the wildcard on purpose for the test)

Any idea for what could this be? In Siteground I had to deactivate some Nginx service they’ve got to have this work, but I can’t find anything similar in Hostinger.

Dear development team!

I have found an issue with the plugin. The value for the Access-Control-Allow-Credentials is being sent out as 1 instead of true. This happens because of a bug in src/Helpers/Headers.php. The value

$option->is_allow_credentials()

is being concatenated with the rest of the header which cause php to convert it to 1 or 0. A revised version of this line could be:

if ( $option->is_allow_credentials() ) {
    header( 'Access-Control-Allow-Credentials: ' . ($option->is_allow_credentials() ? 'true' : 'false') );
}

After updating the code, the plugin started working as intended.

If you use Github for version control, I would be happy to create a pull request. If you need any other information feel free to reach out to me.

Kind regards,
Sebastian Joey Lamprecht

Hi I have an issue which is a bit weird. I have a subdomain carnivaldev.qiu.edu.my and the subdomain is trying to GET from the domain qiu.edu.my. The plugin works when I tested it in the morning but the CORS got blocked again in the evening. The only way to make it work again is to flush cache (I’m using litespeed). Is this normal?

Hi,
I’m using your plugin for Cors issue. i have tested it on this url https://cors-test.codehappy.dev/, but issue occur same. my website is https://dev04.kreatetechnologies.com/smartech-api/.
Thanks.

How to solve that problem?

Access to XMLHttpRequest at ‘https://www.facebook.com/plugins/customer_chat/SDK/?app_id=&attribution=fbe_woocommerce&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df770970af46795e16%26domain%3Drawood.pl%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Frawood.pl%252Ffe7a0fe6934a073f7%26relation%3Dparent.parent&container_width=412&current_url=https%3A%2F%2Frawood.pl%2Fproduct%2Fdrewniany-kredens-z-litego-drewna-do-salonu-jadalni-marino%2F&event_name=chat_plugin_sdk_dialog_iframe_create&is_loaded_by_facade=true&loading_time=0&local_state=%7B%22v%22%3A2%2C%22path%22%3A2%2C%22chatState%22%3A1%2C%22visibility%22%3A%22hidden%22%2C%22showUpgradePrompt%22%3A%22not_shown%22%2C%22greetingVisibility%22%3A%22hidden%22%7D&locale=en_US&log_id=1b290e72-beec-4247-83ea-0cced1bc9235&page_id=1948314655427025&request_time=1712399348547&sdk=joey&suppress_http_code=1’ from origin ‘https://rawood.pl’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Hi all, I’m experiencing several warnings on a site to which I installed the plugin. Error_log messages:

• PHP Warning: Cannot modify header information – headers already sent in /public_html/wp-content/plugins/enable-cors/src/Helpers/Headers.php on line 35
• PHP Warning: Cannot modify header information – headers already sent in /public_html/wp-content/plugins/enable-cors/src/Helpers/Headers.php on line 38

See also the plugin setting screenshot: https://ibb.co/Svsj7MN
Website and server info: PHP 8.2, WP 6.3.2.

Looking forward to hearing from you. Thanks!

Another issue with version 1.2.2:

The plugin does not allow PATCH as method (not possible to select in UI). Also, the commas should be be followed by space (” “)

Default value:

access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE

With plugin enabled:

access-control-allow-methods: GET,POST,OPTIONS,PUT,DELETE

In version 1.2.2 when checking “Allow Credentials”, the header value is 1 instead of true:

access-control-allow-credentials: 1

https://cors-test.codehappy.dev/?url=https%3A%2F%2Fstore.motiontees.com%2Fwp-content%2Fuploads%2F2023%2F12%2FDSC_6698.jpg&origin=https%3A%2F%2Fmotiontees.com&method=post

As you can see here I do not get a success for trying to access the image. If I change the URL to be https://store.motiontees.com/wp-json or the root folder then it works as anticipated as seen in the following link.

https://cors-test.codehappy.dev/?url=https%3A%2F%2Fstore.motiontees.com%2Fwp-json&origin=https%3A%2F%2Fmotiontees.com&method=post

Just wondering if there is anything I can do to get CORS to work for the images in the uploads subfolders. Would appreciate any help you can offer.

Hi,

I’ve installed the plugin, and tested on https://cors-test.codehappy.dev/, it shows the site has passed CORS test, however on the origin site it still showing “No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”

I’ve cleared all caches and still doesn’t work, could you check it for me? I can hire for the debugging, thanks a lot!

It’s work / good job

Version 1.2.1 has issues. The save button doesn’t work. I try to add additional Response Headers or Request Methods and the options disappear.

• help me!where is the problem? Thanks!

Hi!

Thanks for this plugin! The option “Allowed Websites” suggests that it is possible to add multiple domains. But I guess that it is only possible to add one?

Thanks, Luc

I am using your plugin and I have this configuration:

Enable CORS TRUE

Allow Images Sharing TRUE

Allow Fonts Sharing TRUE

Allow Credentials TRUE

Allowed Websites *

But then I receive this error. Also, both website are on the same server, so not sure why I cannot access.
<code><br>Access to video at 'https://dashboard.jordigarreta.com/wp-content/uploads/2022/08/cup.mp4' from origin 'https://www.jordigarreta.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.<br></code>

Thanks

The latest update can’t be activated due to triggering a fatal error. If the plugin is already installed and it auto-updates it will bring the entire site down.

PHP Fatal error: Uncaught TypeError: implode(): Argument #2 ($array) must be of type ?array, string given in /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-content/plugins/enable-cors/src/Helpers/Cors.php:125\nStack trace:\n#0 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-content/plugins/enable-cors/src/Helpers/Cors.php(125): implode(',', 'GET,POST,OPTION...')\n#1 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-content/plugins/enable-cors/src/Plugin.php(111): Enable\\Cors\\Helpers\\Cors-]headers()\n#2 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-content/plugins/enable-cors/enable-cors.php(67): Enable\\Cors\\Plugin::init()\n#3 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-settings.php(462): include_once('/is/htdocs/wp10...')\n#4 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-config.php(97): require_once('/is/htdocs/wp10...')\n#5 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-load.php(50): require_once('/is/htdocs/wp10...')\n#6 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-blog-header.php(13): require_once('/is/htdocs/wp10...')\n#7 /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/index.php(17): require('/is/htdocs/wp10...')\n#8 {main}\n thrown in /is/htdocs/wp1033564_9MD5WDX7NZ/www/staging/wp-content/plugins/enable-cors/src/Helpers/Cors.php on line 125

Hi there ,

how can i add additional Allowed Websites in the field ( ?? or ?

I can’t save the website URL in the plugin configuration, it returns an ‘error 500’ message in the right footer of the screen

I can see the plugin makes request to localhost/wp-json when saving the settings initially. which is a wrong url. because not everyone hosts their site in the root of the server. Most of the people using mamp, xampp, wamp host it in a subfolder. in that case it makes request to localhost and encounters 404. Can you please fix it?

another issue: you can not put * in the website url field and it says not a valid url. But we know access control header support * for indicating all urls. Besides, the default is * from the plugin as well. But we cannot just save that.