Codeigniter CORS policy: No 'Access-Control-Allow-Origin' error How to resolve?

Question

Error: Access to Font at ' http://www.example.com//assets/global/plugins/font-awesome/fonts/fontawesome-webfont.woff2?v=4.4.0 ' from origin ' http://example.com ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' http://example.com ' is therefore not allowed access.

Solution:

<?php
header('Access-Control-Allow-Origin: *');

class Home extends CI_Controller {
    public function index()
    {
        $this->load->view('master');
    }
}
?>

I tried this Solution but it not working can you please help me How to resolve it? and How to remove index.php from URL?

Answer 1

Try allowing GET & OPTIONS

<?php
header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: GET, OPTIONS");

If the above doesn't work, try allowing access to font resources via .htaccess (for apache) or in nginx server block - add these lines:

# Apache config
<FilesMatch ".(eot|ttf|otf|woff)">
    Header set Access-Control-Allow-Origin "*"
</FilesMatch>

or

# nginx config
if ($filename ~* ^.*?\.(eot)|(ttf)|(woff)$){
    add_header Access-Control-Allow-Origin *;
}

Answer 2

Allowing cross-site scripting may cause security issues, try to adjust your codeigniter options;

1. Go to application/config/config.php file,
   
2. find $config['base_url'] = ""; and
   

3. place your project folder's path as value.

    $config['base_url']="http://localhost/yourProjectFolder/";

Answer 3

Just we want add 'www' infront of domain name.

Go to application/config/config.php file,

 $config['base_url']="http://yourdoamin.com";

Change to

 $config['base_url']="http://www.yourdoamin.com";

Answer 4

Codeigniter is a cool framework to manipulate PHP, for CORS, you don't need to enable it as it has security implications, just do the following

1. open config.php ,
2. look for $config['base_url'] = "";
3. change it to $config['base_url']="http://localhost/youproject/";

Save and reload your application. Your good to go

Answer 5

Add " Allow from all " in .htaccess file if it still doesn't work.

<FilesMatch ".(ttf|otf|eot|woff|woff2)$">
  <IfModule mod_headers.c>
    Allow from all
    Header set Access-Control-Allow-Origin "*"
  </IfModule>
</FilesMatch>

Answer 6

Add this directly to your php controller file:

Header('Access-Control-Allow-Origin: *'); //for allow any domain, insecure
Header('Access-Control-Allow-Headers: *'); //for allow any headers, insecure
Header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE'); //method allowed

Answer 7

In my experience none of this answers was usable for me and the important item missed . Using "*" is insecure.

header("Access-Control-Allow-Headers: Origin,X-Requested-With");

Every where in web , experts just hint to little and common list of this headers. If you are customized the headers for some reasons like authorization you need to use extended list like this. Use the headers related to your used options

header("Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type,Accept,Access-Control-Request-Method,Authorization,Cache-Control")

Answer 8

Use header() functions in your Codeigniter __construct

    public function __construct()
            {
                parent::__construct();
                $this->load->model('api_model');
                $this->load->library('form_validation');
        
                Header('Access-Control-Allow-Origin: *'); //for allow any domain, insecure
                Header('Access-Control-Allow-Headers: *'); //for allow any headers, insecure
                Header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE'); //method allowed

//Or

        header('Access-Control-Allow-Origin: website_url');
        header("Content-Type: application/json; charset=UTF-8");
        Header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE'); //method allowed
            }

Answer 9

For my case, it thrown the same issue in the console. I added the header in the file level as well as in the server level. It was still throwing the same error. Then I reached out to the respective vendors. They added the domain in their allowlist. Afterwards, it started working. It did not throw any error in the console.

So this could be one of the issue. And this may help others. Thank you.