ECORS
grpc
config_error
ai_generated
true
INTERNAL: grpc-web: CORS preflight failed for origin http://example.com with credentials flag
ID: grpc/grpc-web-cors-credentials
88%Fix Rate
90%Confidence
1Evidence
2024-07-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Envoy v1.29.0 | active | — | — | — |
| gRPC-Web v1.4.2 | active | — | — | — |
| gRPC-Web v1.5.0 | active | — | — | — |
| Istio v1.21.0 | active | — | — | — |
Root Cause
Browser enforces CORS preflight check fails because the server doesn't include Access-Control-Allow-Credentials header when the client sends withCredentials: true.
generic中文
浏览器强制执行 CORS 预检检查失败,因为当客户端发送 withCredentials: true 时,服务器未包含 Access-Control-Allow-Credentials 标头。
Official Documentation
https://github.com/grpc/grpc-web/blob/master/doc/cors.mdWorkarounds
-
90% success Configure the proxy (Envoy/NGINX) to return Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: http://example.com explicitly.
Configure the proxy (Envoy/NGINX) to return Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: http://example.com explicitly.
-
70% success Remove `withCredentials: true` from the client if authentication is not required for the RPC.
Remove `withCredentials: true` from the client if authentication is not required for the RPC.
中文步骤
配置代理(Envoy/NGINX)显式返回 Access-Control-Allow-Credentials: true 和 Access-Control-Allow-Origin: http://example.com。
如果 RPC 不需要身份验证,从客户端移除 `withCredentials: true`。
Dead Ends
Common approaches that don't work:
-
Disabling CORS entirely in the browser
99% fail
Browsers enforce CORS; it cannot be disabled by client code.
-
Adding Access-Control-Allow-Origin: * only
90% fail
With credentials, the origin must be explicit, not wildcard.