CORS policy with Girder



I have a Girder server running on .

I have a front page running locally on my laptop (localhost using an apache serveur) and I make it access some custom girder API on

Problem is, Chrome complains about CORS policy:
Access to XMLHttpRequest at ‘http://my-awesome-server/api/v1/viewer/configuration?token=…’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: Redirect is not allowed for a preflight request.

On the Girder server, I configured the Advanced setting “CORS Allowed Origins” with * and I restarted the server. When I check the network request headers, I don’t see Access-Control-Allow-Origin
Is there anything else I must do ?

It works fine if I start Google Chrome without web security checks.



You should definitely see Access-Control-Allow-Origin headers in responses from Girder REST requests if you’ve configured the server to allow it. What version of Girder are you running?


I suspect the problem might be related to the server sending back a redirect. As stated in the error message, redirects are not allowed in the preflight OPTIONS request. The browser might just be dropping the CORS header because of that.

You might check the request in the terminal using curl (right click on the request and select “Copy as cURL”). Getting the verbose output from that might help illuminate what is actually going on.


Could the domain mismatch be causing the redirect? ( vs


Thanks Jonathan for the curl copy hint. With it, I realized that the URL I was using was http but the server redirects http to https. Therefore the OPTIONS request was failing with error “301 Moved Permanently”.

Now that I changed the URL from http to https, I have an error “401 Unauthorized”. While my URL works with GET, it fails with OPTIONS. I guess it means I need to change the server to accept OPTIONS requests…

Keeping you informed…

Thanks for your help,


That is probably the CORS preflight request, which is required for any HTTP verb that can mutate the server state (PUT, POST, DELETE, etc.). The browser automatically sends it when necessary.

I believe that girder will reply to the OPTIONS request without checking auth, so I’m not sure where the 401 is coming from.


Yes, if the request gets through to Girder it will give you a 200 OPTIONS response, my guess is something else is giving that response. Do you have the full response output including headers?