{ "id": "grpc/cors-preflight-origin-not-allowed", "signature": "INTERNAL: grpc-web: CORS preflight failed for origin http://malicious-site.com: Access-Control-Allow-Origin not present in response", "signature_zh": "INTERNAL: gRPC-Web: 来源 http://malicious-site.com 的 CORS 预检失败:响应中未包含 Access-Control-Allow-Origin", "regex": "grpc-web: CORS preflight failed for origin .*: Access-Control-Allow-Origin not present in response", "domain": "grpc", "category": "auth_error", "subcategory": null, "root_cause": "A gRPC-Web client from an unauthorized origin attempted a CORS preflight request, but the server's CORS policy did not include that origin in the allowed origins list.", "root_cause_type": "generic", "root_cause_zh": "来自未授权来源的 gRPC-Web 客户端尝试了 CORS 预检请求,但服务器的 CORS 策略未将该来源列入允许列表。", "versions": [ { "version": "gRPC-Web v1.4.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "envoy v1.28.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "gRPC-web-go-client v1.4.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Setting Access-Control-Allow-Origin: * in production exposes the API to cross-site request forgery and data theft from any website.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "Disabling CORS checks on the client by using a non-browser environment (e.g., curl) does not solve the problem for actual web users.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Add the specific origin to the CORS allowlist on the gRPC-Web proxy (e.g., Envoy). In Envoy config: cors_policy: allow_origin_string_match: [prefix: \"https://myapp.example.com\"] allow_methods: \"POST, OPTIONS\" allow_headers: \"content-type, x-grpc-web\"", "success_rate": 0.95, "how": "Add the specific origin to the CORS allowlist on the gRPC-Web proxy (e.g., Envoy). In Envoy config: cors_policy: allow_origin_string_match: [prefix: \"https://myapp.example.com\"] allow_methods: \"POST, OPTIONS\" allow_headers: \"content-type, x-grpc-web\"", "condition": "", "sources": [] }, { "action": "If using a custom Go gRPC-Web server, add CORS middleware: func corsMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set(\"Access-Control-Allow-Origin\", \"https://myapp.example.com\"); w.Header().Set(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\"); w.Header().Set(\"Access-Control-Allow-Headers\", \"content-type, x-grpc-web\"); if r.Method == \"OPTIONS\" { w.WriteHeader(http.StatusOK); return }; h.ServeHTTP(w, r) }) }", "success_rate": 0.9, "how": "If using a custom Go gRPC-Web server, add CORS middleware: func corsMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set(\"Access-Control-Allow-Origin\", \"https://myapp.example.com\"); w.Header().Set(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\"); w.Header().Set(\"Access-Control-Allow-Headers\", \"content-type, x-grpc-web\"); if r.Method == \"OPTIONS\" { w.WriteHeader(http.StatusOK); return }; h.ServeHTTP(w, r) }) }", "condition": "", "sources": [] }, { "action": "Use a reverse proxy like nginx to add CORS headers before the request reaches the gRPC-Web server: add_header 'Access-Control-Allow-Origin' 'https://myapp.example.com' always;", "success_rate": 0.85, "how": "Use a reverse proxy like nginx to add CORS headers before the request reaches the gRPC-Web server: add_header 'Access-Control-Allow-Origin' 'https://myapp.example.com' always;", "condition": "", "sources": [] } ], "workarounds_zh": [ "Add the specific origin to the CORS allowlist on the gRPC-Web proxy (e.g., Envoy). In Envoy config: cors_policy: allow_origin_string_match: [prefix: \"https://myapp.example.com\"] allow_methods: \"POST, OPTIONS\" allow_headers: \"content-type, x-grpc-web\"", "If using a custom Go gRPC-Web server, add CORS middleware: func corsMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set(\"Access-Control-Allow-Origin\", \"https://myapp.example.com\"); w.Header().Set(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\"); w.Header().Set(\"Access-Control-Allow-Headers\", \"content-type, x-grpc-web\"); if r.Method == \"OPTIONS\" { w.WriteHeader(http.StatusOK); return }; h.ServeHTTP(w, r) }) }", "Use a reverse proxy like nginx to add CORS headers before the request reaches the gRPC-Web server: add_header 'Access-Control-Allow-Origin' 'https://myapp.example.com' always;" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://github.com/grpc/grpc-web/blob/master/README.md#cors", "official_doc_section": null, "error_code": "GRPC_WEB_CORS_ORIGIN_DENIED", "verification_tier": "ai_generated", "confidence": 0.89, "fix_success_rate": 0.92, "resolvable": "true", "first_seen": "2024-02-28", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }