# INTERNAL: grpc-web: CORS preflight failed for origin http://malicious-site.com: Access-Control-Allow-Origin not present in response

- **ID:** `grpc/cors-preflight-origin-not-allowed`
- **Domain:** grpc
- **Category:** auth_error
- **Error Code:** `GRPC_WEB_CORS_ORIGIN_DENIED`
- **Verification:** ai_generated
- **Fix Rate:** 92%

## Root Cause

A gRPC-Web client from an unauthorized origin attempted a CORS preflight request, but the server's CORS policy did not include that origin in the allowed origins list.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| gRPC-Web v1.4.0 | active | — | — |
| envoy v1.28.0 | active | — | — |
| gRPC-web-go-client v1.4.0 | active | — | — |

## Workarounds

1. **Add the specific origin to the CORS allowlist on the gRPC-Web proxy (e.g., Envoy). In Envoy config: cors_policy: allow_origin_string_match: [prefix: "https://myapp.example.com"] allow_methods: "POST, OPTIONS" allow_headers: "content-type, x-grpc-web"** (95% success)
   ```
   Add the specific origin to the CORS allowlist on the gRPC-Web proxy (e.g., Envoy). In Envoy config: cors_policy: allow_origin_string_match: [prefix: "https://myapp.example.com"] allow_methods: "POST, OPTIONS" allow_headers: "content-type, x-grpc-web"
   ```
2. **If using a custom Go gRPC-Web server, add CORS middleware: func corsMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "https://myapp.example.com"); w.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS"); w.Header().Set("Access-Control-Allow-Headers", "content-type, x-grpc-web"); if r.Method == "OPTIONS" { w.WriteHeader(http.StatusOK); return }; h.ServeHTTP(w, r) }) }** (90% success)
   ```
   If using a custom Go gRPC-Web server, add CORS middleware: func corsMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "https://myapp.example.com"); w.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS"); w.Header().Set("Access-Control-Allow-Headers", "content-type, x-grpc-web"); if r.Method == "OPTIONS" { w.WriteHeader(http.StatusOK); return }; h.ServeHTTP(w, r) }) }
   ```
3. **Use a reverse proxy like nginx to add CORS headers before the request reaches the gRPC-Web server: add_header 'Access-Control-Allow-Origin' 'https://myapp.example.com' always;** (85% success)
   ```
   Use a reverse proxy like nginx to add CORS headers before the request reaches the gRPC-Web server: add_header 'Access-Control-Allow-Origin' 'https://myapp.example.com' always;
   ```

## Dead Ends

- **** — Setting Access-Control-Allow-Origin: * in production exposes the API to cross-site request forgery and data theft from any website. (90% fail)
- **** — Disabling CORS checks on the client by using a non-browser environment (e.g., curl) does not solve the problem for actual web users. (95% fail)