A browser reports a CORS error
Find which CORS flow step failed and preserve the HTTP response evidence the browser received.
- cors
- browsers
- diagnostics
Diagnostic overview
Symptoms
- Browser JavaScript cannot read a cross-origin response and the console names CORS.
- Server logs show a request even though Fetch rejects its promise.
Likely layers
client, browser cache, proxy, cdn, origin, protocol
Common causes
- Access-Control-Allow-Origin is absent or does not exactly match the request origin.
- Credential mode conflicts with wildcard or missing credential response fields.
- A redirect or error response omits the CORS fields sent on success responses.
Diagnostic steps
Record the page origin, target origin, method, credential mode, and request fields.
Look for: These values determine the Fetch CORS path and expected response checks.
Inspect the network record for preflight and actual responses.
Look for: Status and CORS fields separate HTTP handling from browser sharing.
Compare success, redirect, and error responses at the responsible server layer.
Look for: Missing policy fields on one response path explain context-specific failures.
Targeted fixes
- Return an exact allowlisted origin and compatible credential fields on every intended response path.
- Handle preflight separately when the request is not CORS-safelisted.
- Keep authentication and authorization independent from CORS response sharing.
Record both origins and the network response
The console summary is not the complete exchange. Capture the page origin,
request Origin, target, credential mode, status, and response fields.
Origin: https://app.example.invalid
Access-Control-Allow-Origin: https://app.example.invalid
Expected result: these values are compatible for non-wildcard origin sharing. Credentials still require compatible Fetch mode and server permission.
Decide whether preflight occurred
If an OPTIONS request failed, diagnose that exchange first. If no preflight was needed, inspect the actual response’s CORS check. A server can return 200 and the browser can still withhold the response from script.
Fix policy at the owning server
Use an explicit allowlist and return the policy on intended error and redirect paths too. Do not reflect arbitrary Origin values with credentials, and do not disable authorization to make a sharing error disappear.
