All Products
Search
Document Center

:Request to Alibaba Cloud Content Delivery Network cross-domain problem with accelerated domain name and prompt "The 'Access-Control-Allow-Origin' header has a value 'xxx' that is not equal to the supplied origin"

最終更新日:May 19, 2021

Problem description

cross-domain error was reported in the request Alibaba Cloud Content Delivery Network accelerated domain name. The specific information is as follows:

The 'Access-Control-Allow-Origin' header has a value 'xxx' that is not equal to the supplied origin

Cause

As can be seen from the content of the problem description, the value value of the Access-Control-Allow-Origin cross-domain header of the Alibaba Cloud Content Delivery Network response is inconsistent with the Origin cross-domain header of the client request, resulting in the browser not responding to the request. For example, the request cross-domain header is "Origin:http:// Domain Name A", but the cross-domain header of the response is "Access-Control-Allow-Origin:http:// Domain Name B". There are three reasons for this problem:

  • The cross-domain header configured by the Alibaba Cloud Content Delivery Network is inconsistent with the Origin requested by the client
  • The cross-domain header configured by the origin station is Alibaba Cloud Content Delivery Network cached
  • Browser cache

Solution

  • The cross-domain header configured by the Alibaba Cloud Content Delivery Network is inconsistent with the Origin requested by the client:
    in this case, the cross-domain header configuration of the Alibaba Cloud Content Delivery Network needs to be modified to be consistent with the Origin requested by the client. At present, Alibaba Cloud Content Delivery Network can only configure one cross-domain header by default. If there are multiple Origin in the actual business, the Alibaba Cloud Content Delivery Network cross-domain response header value can be configured as "*". Please refer to Alibaba Cloud Content Delivery Network how to configure cross-domain resource sharing (CORS) through HTTP headers for details.
  • The cross-domain header configured by the source station is Alibaba Cloud Content Delivery Network cached:
    when the client requests for the first time, the request cross-domain header is "Origin:http:// domain name a". Alibaba Cloud Content Delivery Network does not hit the cache, it goes back to the source according to the rules. since the source station is configured with the cross-domain header, it responds to "Access-Control-Allow-Origin:http:// domain name a"; When the client requests for the second time, the request cross-domain header is "Origin:http:// Domain Name B", but because the Alibaba Cloud Content Delivery Network has already cached the data requested for the first time before, the cached data will be directly returned, and the cross-domain response header in the cached data is "Access-Control-Allow-Origin:http:// Domain Name A", which causes the response value to not match the client and is denied access by the browser. There are two solutions to this situation:
    • Scheme 1:
      The source station does not need to configure the cross-domain header, but directly configures the cross-domain header on the Alibaba Cloud Content Delivery Network. Then refresh the Alibaba Cloud Content Delivery Network cache and clear all the historical caches. See Refresh and Preheat Resources for how to refresh.
    • Scheme 2:
      When configuring the Access-Control-Allow-Origin response header parameter on the Alibaba Cloud Content Delivery Network, select whether to allow repetition as not allowed. In this case, when the source station responds to the cross-domain header, the Alibaba Cloud Content Delivery Network will remove the response header of the source station and respond to the client according to the Alibaba Cloud Content Delivery Network cross-domain response header rule.
  • Browser cache:
    when the client requests for the first time, the request cross-domain header is "Origin:http:// domain name a" and the Alibaba Cloud Content Delivery Network responds to "Access-Control-Allow-Origin:http:// domain name a"; When the client requests for the second time, the request cross-domain header is "Origin:http:// domain name b", but because the browser cached the result of the last request, the cached data was directly returned. However, the cross-domain response header in the cached data is "Access-Control-Allow-Origin:http:// domain name a", resulting in the response value not matching the client and being denied access by the browser. When this problem occurs.
    the browser cache needs to be forced. In order to avoid this situation, it is recommended to configure Cache-Control to no-cache on the Alibaba Cloud Content Delivery Network to force the browser not to cache data.

Application scope

  • CDN
  • DCDN