It seems like CORS error is well-known issue in the web field. But I tried flutter web for the first time ever and I faced critical error.
The code below worked well in app version when it was running on iOS device, but when i tested the same code on Chrome with web debugging from beta channel, it encountered CORS error.
Other stackoverflow answers explained how to solve the CORS issue with serverside files of their projects. But I have totally no idea what is server thing and how to deal with their answers. The error message from Chrome console was below
[ Access to XMLHttpRequest at 'https://kapi.kakao.com/v1/payment/ready' from origin 'http://localhost:52700' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. ]
So, what i want to do is to solve above 'Access-Control-Allow-Origin header' issue ONLY WITH DART CODE! Code below is what i've tried to solve these issues only with my main.dart.
onPressed: () async {
var res =
await http.post('https://kapi.kakao.com/v1/payment/ready', encoding: Encoding.getByName('utf8'), headers: {
'Authorization': 'KakaoAK $_ADMIN_KEY',
HttpHeaders.authorizationHeader: 'KakaoAK $_ADMIN_KEY',
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "POST, GET, OPTIONS, PUT, DELETE, HEAD",
}, body: {
'cid': 'TC0ONETIME',
'partner_order_id': 'partner_order_id',
'partner_user_id': 'partner_user_id',
'item_name': 'cool_beer',
'quantity': '1',
'total_amount': '22222',
'vat_amount': '2222',
'tax_free_amount': '0',
'approval_url': '$_URL/kakaopayment',
'fail_url': '$_URL/kakaopayment',
'cancel_url': '$_URL/kakaopayment'
});
Map<String, dynamic> result = json.decode(res.body);
print(result);
},
Even though i actually had the header "Access-Control-Allow-Origin": "*" which most other answers recommended, the Chrome console printed same error message. Weird thing is that the same code made successful request in mobileApp version. So I think this is only problem with flutter WEB VERSION.
Hope somebody can figure it out and suggest only-dart code to resolve the issue in my main.dart!! Thank you for reading [:
1- Go to flutter\bin\cache and remove a file named: flutter_tools.stamp
2- Go to flutter\packages\flutter_tools\lib\src\web and open the file chrome.dart.
3- Find '--disable-extensions'
4- Add '--disable-web-security'
Since Flutter 3.3.0
I implemented the option to add any browser flag to the flutter command.
flutter run -d chrome --web-browser-flag "--disable-web-security"
Or for drive command:
flutter drive --driver=test_driver/integration_test.dart --target=integration_test/app_test.dart -d web-server --web-browser-flag="--disable-web-security"
Note: This is just for development and testing. Flutter is executed explicitly on the client's browser! You should NOT and you can NOT disable it in production (as stated by #Tommy), as it is a security feature of the browser, and not meant to be changed in dart code. You have to enable CORS on your web server, which is providing the resources of your Flutter app, to ensure it works for everyone.
If you use dart language without Flutter on the server side with shelf, then see this response.
I think disabling web security as suggested will make you jump over the current error for now but when you go for production or testing on other devices the problem will persist because it is just a workaround, the correct solution is from the server side to allow CORS from the requesting domain and allow the needed methods, and credentials if needed.
run/compile your Flutter web project using web-renderer. This should solve the issue both locally and remotely:
flutter run -d chrome --web-renderer html
flutter build web --web-renderer html
This is a CORS (cross-origin resource sharing) issue and you do not have to delete/modify anything. You just have to enable the CORS request from your server-side and it will work fine.
In my case, I have created a server with node.js and express.js, so I just added this middleware function that will run for every request.
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET,PUT,PATCH,POST,DELETE");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
And BOOOOM! I received the data.
You just have to look at the settings to enable CORS for your server.
Server side engine like node js or django is really needed to work with flutter web with bunch of external apis. Actually there's high possibility of same CORS error when we try to use internal api because of the CORS mechanism related to port number difference.
There are bunch of steps and answers from SO contributors that recommend to use chrome extensions to avoid CORS errors, but that is actually not cool for users. All the users should download the browser extensions to use the single website from us, which wouldn't be there if we used true server engines.
CORS is from browser as far as i know, so our flutter ios and android apps with same api code don't give those CORS errors. First time i encountered this error with flutter web, i believed i can deal with CORS in my app code lines. But that is actually not healthy way for users and long term dev plans.
Hope all flutter web newbies understand that web is quite a wild field for us. Even though i'm also newbie here, i highly recommend all the flutter web devs from 1.22.n stable to learn server side engines like node js. It is worth try.
And if u came so far down to this line of my self-answer, here's a simple guide for flutter web with node js. Flutter web is on stable channel but all those necessary infra are not fully ready for newbies like me. So be careful when you first dive into web field, and hope you re-check all the conditions and requirements to find out if you really need web version of your flutter app, and also if you really need to do this work with flutter. And my answer was yes lol
https://blog.logrocket.com/flutter-web-app-node-js/
If you run a Spring Boot server, add "#CrossOrigin" to your Controller or to your service method.
#CrossOrigin
#PostMapping(path="/upload")
public #ResponseBody ResponseEntity<Void> upload(#RequestBody Object object) {
// ...
}
I know the question explicitly asked for a solution "with dart code" only, but I was not able to fix the exception with dart code (for example by changing the header).
The disabling web security approaches work well in development, but probably not so well in production. An approach that worked for me in production dart code involves avoiding the pre-flight CORS check entirely by keeping the web request simple. In my case this meant changing the request header to contain:
'Content-Type': 'text/plain'
Even though I'm actually sending json, setting it to text/plain avoids the pre-flight CORS check. The lambda function I'm calling didn't support pre-flight OPTIONS requests.
Here's some info on other ways to keep a request simple and avoid a pre-flight request
https://docs.flutter.dev/development/platform-integration/web-images
flutter run -d chrome --web-renderer html
flutter build web --web-renderer html
This official solution worked for me on Chrome only (Source). But I had to run it first every time.
flutter run -d chrome --web-renderer html
And disabling web security also worked (Source). But the browsers will show a warning banner.
But In case you are running on a different browser than Chrome (e.g. Edge) and you want to keep 'web security' enabled.
You can change the default web renderer in settings in VS Code
File ==> Preferences ==> Settings ==> Enter 'Flutter Web' in the Search Bar ==> Set the default web renderer to html
After hours of testing, the following works perfectly for me.
Add the following to the PHP file:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With");
This allow the correct connection with the HTTP GET POST with no issue from flutter for me.
I discovered this in the following discussion:
XMLHttpRequest error Flutter
I am getting the same error with php api so i add the php code these lines ;
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With");
I think you may not doing this in right way.
The cors headers should be added in HTTP response header while you added them in you reuqest header obviously.
for more information check out the documentation https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#what_requests_use_cors
The below solution is great if you are only communicating with a local NodeJS server.
Install NodeJS
Create a basic NodeJS express project
Create a folder to put you NodeJS project in
ex: C:\node_project\
in PowerShell run: npm init in the folder
fill in your desired values
entry point: must be app.js for this example to work
in PowerShell run: npm install express in the folder
create a app.js file in the folder
// init express
const express = require("express");
const app = express();
// set the path to the web build folder
app.use(express.static("C:/Users/your_username/path_to_flutter_app/build/web"));
const PORT = process.env.PORT || 8080;
app.listen(PORT, () => {
console.log(`Server listening on port ${PORT}...`);
});
The value "C:/Users/your_username/path_to_flutter_app/build/web" must be changed to the web build folder in your flutter app.
The app can be accessed through your browser once the app is built, the node server is running, and the browser is at the correct address
Build the app
open PowerShell and navigate to the flutter project's root ex: C:/Users/your_username/path_to_flutter_app/
run flutter build web
turn on the node server
open PowerShell and navigate to the NodeJS server folder ex: C:\node_project\
run: node app.js
Open in your browser
Enter http://localhost:8080/ into the browser
Note that everytime you change your flutter app's dart code you will need to re-run flutter build web
Wrong Server on Target Port 🤦
I feel silly for even admitting this, but I had some other local server running on the targeted port. I've no clue why the server seemed to boot on the same port, or why the iOS app seemed to work, but now that I'm hitting the actual server it's working fine.
I was also getting some 404's mixed in, but originally thought that was due to the CORs error.
Maybe someone else has this same issue and this helps them.
In my case, The problem was in laravel backend code which did not support CORS, So I added the CORS into backend project then it worked successfully in test and live.
The 5th step of Osmans answer should be to add the option
'--disable-site-isolation-trials',
Only this works for me.
Chrome version 106.0.5249.119
Update:
I recommend to use User Rebo's answer. It is now possible to pass --disable-web-security as a browser flag to run & drive commands!
Original outdated answer:
Alternative solution for MacOS & Android Studio (without modifying Flutter source)
We use a similar approach as Osman Tuzcu. Instead of modifying the Flutter source code, we add the --disable-web-security argument in a shell script and just forward all other arguments that were set by Flutter. It might look overly complicated but it takes just a minute and there is no need to repeat it for every Flutter version.
1. Run this in your terminal
echo '#!/bin/zsh
# See also https://stackoverflow.com/a/31150244/410996
trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
set -e ; /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --test-type --disable-web-security "$#" ; set +e &
PID=$!
wait $PID
trap - SIGINT SIGTERM EXIT
wait $PID
' > ~/chrome_launcher
chmod 755 ~/chrome_launcher
This adds a chrome_launcher script to your user folder and marks it executable.
2. Add this line to your .zshrc (or .bashrc etc.):
export CHROME_EXECUTABLE=~/chrome_launcher
3. Restart Android Studio
If a simple restart does not work, use Invalidate Caches / Restart in Android Studio to force loading of changes.
Notes
The script also adds the --test-type flag to suppress the ugly warning about the disabled security features. Be aware that this option might also suppress other error messages!
The CHROME_EXECUTABLE takes only the path to an executable file it is not possible to set arguments there.
Without trapping exit signals and killing the process group, the Google Chrome instance was not killed when you hit the Stop Button in Android Studio.
If you are using FVM, I suggest to use flutter_cors package
dart pub global activate flutter_cors
fluttercors --disable
If you face
zsh: command not found: fluttercors
You need to add it to PATH. In my case, I'm using zsh, I add it to .zshrc by
vim ~/.zshrc
Press I to start editing and paste export PATH="$PATH":"$HOME/.pub-cache/bin" to the top of the file
Then press ESC and type :wq to save the .zshrc file.
Now you're good to go
Now, just need to run your flutter web normally. It will trigger Chrome without CORS.
For me none of the solutions above worked on production as it was expected. Altough there is one solution I can suggest which uses CORS proxy to avoid CORS issues on flutter web on production. You can find CORS proxies on this website.
Basically you bypass all the unnecessary headers which your browser appends to your requests, so you may not encounter the same CORS issues when making request to another API. Hope it helps!
It Worked With Me By The Following Code :
in conn.php file put like this :
<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With");
$connect = new mysqli("localhost","db_user","db_password","db_name");
if($connect){
}else{
echo "Connection Failed";
exit();
}
This is a CORS (cross-origin resource sharing) issue and you just need to enable the CORS request from your server-side.
In my case it is Asp.Net MVC Web API and adding below code to Application_BeginRequest at Global.asax worked for me:
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "http://localhost:7777/");
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
//These headers are handling the "pre-flight" OPTIONS call sent by the browser
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "POST, GET");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "content-type");
HttpContext.Current.Response.End();
}
Use desired urls , Methods and Headers
Also There is no need to change anything in Web.config
If anyone looking for an equivalent of the accepted answer (Osman's) when working with dart web (webdev), here's what worked for me on Dart 2.17.6 (a bit more complex but in case you needed a quick fix, it might be handful).
Find webdev executable (this helps) then you see something like this:
The snapshot file (generated if not exist, as you see) is executed when you want to run app in browser. It contains the code that dart runs when launching chrome (using browser_launcher dart package).
Backup and remove the snapshot file (location in the screenshot above) so it can be regenerated in next run.
Locate browser_launcher package in your pub cache (also you might find location of browser_launcher by searching in the snapshot file) and edit lib\src\chrome.dart, find '--disable-extensions' and add '--disable-web-security'.
Run your app and remove the backup created in step 2.
If you are working with django in the side of the service, you can configure CORS with 'corsheaders', in this link you can find whole the documentation to setup your back end and recognice your requests.
https://pypi.org/project/django-cors-headers/
Go to flutter\bin\cache and remove a file named: flutter_tools.stamp
Go to flutter\packages\flutter_tools\lib\src\web and open the file chrome.dart.
Find '--disable-extensions'
Add '--disable-web-security'
I hope this suits on Stackoverflow.
When I work from localhost and "reach out" to the Stripe JavaScript library I get this error:
Failed to load resource: net::ERR_BLOCKED_BY_ADBLOCKER
I have first of all verified that Opera's AdBlocker and Tracking cookie blocker are disabled for localhost. I have even enabled and disabled them. I have restarted Opera, and I have restarted the entire machine. I have also verified I have the latest version of Opera (v. 68).
I've tested a few other websites, where the same error occurs, but only if the AdBlocker is active. And I'm 100% confident the AdBlocker is de-activated for localhost (I'm not mixing up localhost or 127.0.0.1 either).
I'm using Opera's native AdBlocker, not a 3rd party.
If I disable ad-blocking browser-wide (ie from Opera's settings) it doesn't cause this problem.
It seems Opera is confused about localhost, no?
The problem does not occur in Chrome.
Google has very, very limited information about this error type.
I have to, the best of my knowledge, no other software which would block these "ads."
My project is coded in Vue and operated on port 5300 with NPM.
It doesn't seem to actually block the scripts Stripe wants to execute, but they fill up my console to the point of huge inconvenience.
Does anybody have any idea?
In Settings => Privacy Protection => Manage Exceptions => Block Ads => Exceptions
Have you tried adding the exceptions using this form (add one at a time):
127.0.0.1:5300
[*.]127.0.0.1:5300
Also, what OS are you using?
Have you tried mapping 127.0.0.1:5300 to something, like vuedev.local in your hosts file and use that name in the address-bar?
Just add an additional line in your hosts file, like:
# /etc/hosts IP -> host Mapping
127.0.0.1 localhost
127.0.0.1:5300 vuedev.local
If the above doesn't help, you could try installing vue-adblock-detect,
with
npm i vue-adblock-detect
and then try adding something like:
<script>
import VueAdBlockDetect from 'vue-adblock-detect';
export default{
mixins: [VueAdBlockDetect],
beforeMount(){
this.detectAdBlock().then((response)=>{
if(response){
// Pop-up an alert or something
}else{
// Do something else
}
})
}
}
</script>
That should get you a bit further into the investigation at least!
Disable the adblocker by clicking on the shield/tick icon and turn off the protection for the site.
It worked for me
We're trying to connect to an API (.net core 2.2) from react-native (version 0.59), via localhost, both apparently running on the same ip, different ports, react-native on port 8080, and the api on the 44344, the issue happens the moment we fetch the url from react-native
We’ve also tested running the url from Postman and everything seems ok, also from any of the web browser installed (safari/chrome), even we tested the browser INSIDE react-native iOS, and it works.
Any api running outside localhost works perfectly, is the localhost were we failed.
Network request failed.
onerror
whatwg-fetch.js:504:29
dispatchEvent
event-target.js:172:43
setReadyState
XMLHttpRequest.js:580:29
__didCompleteResponse
XMLHttpRequest.js:394:25
emit
EventEmitter.js:190:12
__callFunction
MessageQueue.js:366:47
<unknown>
MessageQueue.js:106:26
__guard
MessageQueue.js:314:10
callFunctionReturnFlushedQueue
MessageQueue.js:105:17
callFunctionReturnFlushedQueue
[native code]:0
Part of the code (function) that fetch the api, very simple (for now)
async Submit(){
//GET METHOD
try {
let response = await fetch('https://192.168.1.56:44344/api/values');
let responseJson = await response.json();
return Alert.alert(JSON.stringify(responseJson));
} catch (error) {
console.error(error);
}
}
Ok first of all, we've tried EVERY possible solution,to connect my react native app to my .net core api rest, both running in localhost, this is the list so far, of the things that we've tried so far, and still no result.
Localhost
127.0.0.1
Computer ip (network ip not mac address)
React Native blank project (from the ground up)
API .net core blank project (from the ground up)
Running snack expo + api .net core
ip forwarding (We can't do that do to our job policies/Not the solution we're looking for)
http/https
Different ports
Android and ios permissions from react-native
Same network different ip (this sorta worked, but we don't know exactly why it doesn't work running both react-native and the api in the same ip (localhost))
10.0.2.2 (for android)
Enable cors on api .net core (but apparently this doesn't work on native apps, only for web)
Expose the ip through ngrok/serveo (We can't do that do to our job policies/Not the solution we're looking for)
Frisbee
Axios
Websocket (We can't do that do to our job policies/Not the solution we're looking for)
XMLHttpRequest (status code error 0)
Firewall/proxy (our network is free from firewalls and proxies)
Web browser plugins (deactivated and/or uninstalled)
Cache/cookies
Docker (We can't do that do to our job policies/Not the solution we're looking for)
Reboot my macbook pro
we expect react native to fetch the api, so we can continue with the office 365 login authentication.
EDIT: I just discovered that fetching the machine ip (this time running windows), with my ip being 192.168.0.9 both on the api and the react native, the fetch result showed me the 10.0.2.2:80 in the header of the json response. I suppose it is the "localhost" ip from react native. How am I supposed to fetch an ip from localhost if react native is not letting me to do so?
EDIT: We had to go for plan B this time around, we've made it work with a docker on the api, but I need a solution for this problem. I'm 99% sure the issue is react-native and nothing else.
EDIT: After all these weeks one of my colleges managed to solve it. First of all, we couldn't make the firewall in my macbook pro work properly. Second, we solved that and found out our api was having issues. He found out the redirection was on https, and the certifications weren't working properly, so he changed this
"applicationUrl": "http://192.168.0.114:5001;https:192.168.0.114:5001"
to
"applicationUrl": "http://192.168.0.114:5001"
I got the same issue while fetching localhost API from react-native. Here is what I did to solve this issue.
In the startups class, I removed //app.UseHttpsRedirection(); from Configure method.(Not sure if it is needed)
After that in the launchsetting.js file under the properties folder, I changed from
"applicationUrl": "https://localhost:5001;http://localhost:5000"
to
"applicationUrl": "http://localhost:5000"
and in the React native part, I simply changed my localhost with my IP:
fetch('http://localhost:5000/values/') to fetch('http://127.0.0.1:5000/values/')
This completely worked for me
Take command prompt and type ipconfig, so we will be getting many addresses. From that take IPV4 and copy it to the clipboard. Then paste this address to both the back ends port address and front end port address.
eg say IPV4 address is 192.168.1.3 then make you your back end route API similar to this http://192.168.1.3:8080/patients, where 8080 is the port number (never mind). And use the same for the front end to grab the API result.
You have to do two things.
1 - Use http://192.168.1.x:8080 (your local ip ) rather than http:// localhost:8080 in your client.
2 - Add following code snippets to your .net core web api project in Startup.cs.
readonly string MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
services.AddCors(options =>
{
options.AddPolicy(name: MyAllowSpecificOrigins,
builder =>
{
builder.WithOrigins("http://192.168.1.x:8080")
.AllowAnyHeader()
.AllowAnyMethod();
});
});
.
.
.
app.UseCors(MyAllowSpecificOrigins);
Something that worked for me was run adb reverse tcp:<YOUR PORT> tcp:<YOUR PORT> in terminal
I'm not sure of how it works exactely, but I guess it makes some sort of mapping from the virtual device port to your machine's.
Example:
adb reverse tcp:8080 tcp:8080
Using the local IP address worked for me, with no additional configuration.
Example:
fetch("http://192.168.0.103:4000/books", {
method: "GET"
})
Thanks for all the insight, but none of the above solutions worked for me.
What did work:
https://ngrok.com/ - Download ngrok, signup, and connect your account. ngrok creates a private https localhost tunnel.
Setup - https://dashboard.ngrok.com/get-started/setup
Unzip to install:
unzip /path/to/ngrok.zip
Connect your ngrok account (Non functioning example auth token):
ngrok config add-authtoken 2ySPR5UeS3Fjf5YAblNRe7ZcV1o_9sdf2SDFGHjEQaOCE6xEi
Use the command (with your desired port number):
ngrok http 8080
Once ngrok is online, replace your localhost address:
http://localhost:8080
http://127.0.0.1:8080
http://192.168.0.100:8080
with the forwarding web address (Non functioning example address):
https://ebda-61-137-45-130.ngrok.io
I've used ngrok countless times for testing on a variety of networks without issue. So far its the only foolproof method I've found for testing localhost APIs.
I've been having an issue for days and I don't know how to fix it.
I am trying to setup my SSL certificate, and for some reason the site works on http, and then when I try to load https, it loads only the navbar and sidebar, and then it's stuck on the spinner.
When I examine at the network connections on chrome, it keeps trying to load xhr and websockets.
In safari I get this error in the console
WebSocket connection to 'wss://mysite/sockjs/530/72iokiqa/websocket' failed: WebSocket is closed before the connection is established
I am trying to set the headers, in particular the x-forwarded-proto header, but I can't figure out how to do that.
I am using mup.
// Configure environment
"env": {
"ROOT_URL": "https://inslim.com"
},
"ssl": {
"pem": "./ssl.pem"
}
For some reason, when I try to add a por to the env variable, it won't allow me to do mup deploy. It will break and the site will go down.
I am also confused with nginx. I installed it and I set it up, but I don't think it's making any difference. If I run 'service nginx stop' or service nginx start, it doesn't make any difference.
Can someone help me? Any advice or anything would help. Or if you need any other info please let me know.
Here's a screenshot of my spinner of death
The ssl part of your configuration JSON looks fine, but your env part needs a little modification. The env part of the configuration JSON should at least look something like this:
"env": {
"PORT": 80, // Defaults to 80, but could be different if app is configured differently
"ROOT_URL": "http://inslim.com"
}
If you do not have the force-ssl package already added to your application, I would suggest adding that (don't worry, it is a core Meteor package). If you do not also have the spiderable package added to your application, then your ROOT_URL element in your JSON can remain prefixed with http, but if you do have the spiderable package added to your application, you will need to change that ROOT_URL element prefix in your JSON to be https. All of this information is per the documentation for Meteor Up, which can be found here. Also, I can confirm that this setup with the JSON works because I have a production application that is running with this exact setup without any issues.