Missing origin error

[DogAndHerDude]

Guys, please, I'm all out of ideas. Nothing is working.

The basic issue is the fact that requests get denied because it says that Access-Control-Allow-Origin header is missing. Problem is that everything worked fine until it didn't for whatever reason. Some requests make it through, some just get ignored.

Here's my configuration to start with:

	corsHandler := cors.New(cors.Options{
		AllowCredentials: true,
		AllowOriginFunc:  func(origin string) bool { return true },
		AllowedMethods:   []string{"GET", "POST", "PUT", "HEAD", "OPTIONS"},
		AllowedHeaders:   AllowedHeaders,
		Debug:            true,
	})

Whenever we receive a request in production, I get the following error:
[cors] 2020/03/02 11:55:06 Actual request no headers added: missing origin

If I log the origin in the AllowOriginFunc function, the origin is present.

The request itself is a basic GET method request using JS fetch:

await fetch(new Request('<my url>', {
  method: 'GET',
  headers: {
   Accept: 'application/json',
  },
}))

[tarasyarema]

Have you tried with AllowedHeaders: []string{"*"}?

[mrsoftware]

I have the same problem.

[GiancarlosIO]

😢

[pierrebiver]

Same here

[phramos07]

Same here. In my case specifically, I have a Swagger-UI hosted on the same domain as my API. When it requests an endpoint, it gives me the message 'Failed to fetch'. In debug, I see that 'there is no origin header provided'. What's most intriguing is that, if I execute the exact curl that is shown in the swagger-ui - supposedly the same Curl they're performing - I get an answer. So I know it's a CORS Problem, I've added CORS middleware, I've tested it locally with a fake origin header, but, in production, it fails. I don't know what to do anymore. Already checked the order in which I'm adding the middlewares and Cors is the first one.

Edit:

I was trying to call HTTP in production instead of HTTPS. So it had nothing to do with cors, it was failing because Heroku (where the app is hosted) wouldn't allow HTTP calls. Sorry to comment on here.

[felipecruz91]

I'm running out of ideas as well after +6h...

[mrsoftware]

My problem was with proxy plugins, i was using proxy plugin in my browser, and that plugin was removing all headers about CORS, i disable it and now it's working.

[devinmatte]

Having basically the same issue, just trying to send a simple fetch API call with an Authorization header. API call works fine before adding that header. The same log line is showing up Actual request no headers added: missing origin. "Origin" and "Authorization" are in my list of allowed headers.

[fangker]

CORS need set origin header.
Having origin is a precondition of rs/cors.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

gin.Use(func(ctx *gin.Context) {ctx.Request.Header.Set("Origin", "*") }, cors.New(cors.Default())

[syukronhidayat]

Set the cors.Options Debug to false.

[mohdrasbi]

Set the cors.Options Debug to false.

This worked for me. Thanks @hidayats10!

[zee7153]

same issue i face

[pierow2k]

Set the cors.Options Debug to false.

Doesn't that just keep the error message from appearing in the output? (i.e. it does not resolve the underlying problem)

[TRSeculan]

does anyone solve this ?

[NekoFluff]

Set the cors.Options Debug to false.

Doesn't that just keep the error message from appearing in the output? (i.e. it does not resolve the underlying problem)

Strangely enough I started getting response data after setting the Debug option to false so that's that.

[jub0bs]

I'm not blaming anybody, but there seems to be much confusion in this issue. The lack of a minimal reproducible example doesn't help. Here is my two cents.

In v1.10.1 at least, the following message

Actual request no headers added: missing origin

is logged only if

1. the Debug option is set, and
2. the request lacks an Origin header, which, according to the Fetch standard, only occurs if the request is same-origin.

If the request is same-origin, it doesn't participate in the CORS protocol and the absence of an Access-Control-Allow-Origin header in the response shouldn't cause a CORS error in the browser.

The log message above does not indicate whether your CORS middleware is well or badly configured. Whatever dysfunctional CORS configuration you're trying to troubleshoot doesn't stem from the value of the Debug option.

---

@NekoFluff

Strangely enough I started getting response data after setting the Debug option to false so that's that.

I'd be very curious to see a minimal reproducible example (perhaps in the form of one or two tests cases; see cors_test.go).