'request.withCredentials = true' breaks CORS

[tomw1808]

The latest change in httpprovider breaks CORS with ganache and possibly other tools (for me at least), where the CORS-domain cannot be set explicitly.

Chrome comes up with the following error message: "Failed to load http://localhost:7545/: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'null' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute."

Reproduce this issue by using the web3 0.20, e.g. "npm install [email protected]" and then a simple index.html with the most simplistic content opening in Chrome:

<!doctype html>

<html>

<head>
  <script src="node_modules/web3/dist/web3.js" type="text/javascript"></script>
</head>

<body>

  <div>Here is some content.</div>


  <script>
    var web3;
    if (typeof web3 !== 'undefined') {
      web3 = new Web3(web3.currentProvider);
    } else {
      // set the provider you want from Web3.providers
      web3 = new Web3(new Web3.providers.HttpProvider("http://localhost:7545"));
    }

  </script>
</body>

</html>

Anything I can do on my side?

https://github.com/ethereum/web3.js/blob/b4c1542ddb5284267f6814ba0106bfbbc83fe166/lib/web3/httpprovider.js#L66

[nomoreboredom]

I am also experiencing this after migrating to version 35, following.

[H34D]

i can confirm this, after downgrading to 0.20.6 it worked again.

[pierreneter]

Related to #1803

[angelina999990]

Encountered the same issue which says 'The value of the 'Access-Control-Allow-Credentials must be true'. I'm using [email protected]

[angelina999990]

after downgrading to 0.20.6 it worked again. It works as well

[tradzero]

i found safari will add user-agent to Access-Control-Request-Headers, and infura will reject this request. but i dont know how to remove that

[edwardfxiao]

@tradzero downgrade to v1.0.0-beta.33 solved my problem

[levity]

For users of v1.0.0-beta, downgrading to v1.0.0-beta.34 will also work, because the issue was introduced after it, in this commit.

I had to downgrade in order to use HttpProvider with Infura. Probably the longer-term solution is to allow withCredentials to be turned off by an option in the constructor arguments.

[0xclem]

I can confirm that downgrading to v1.0.0-beta.34 fixes the issue. Both Safari and Firefox were impacted.

[karlphillip]

What is the correct command to downgrade to that specific version?

[0xclem]

@karlphillip something like yarn remove web3 && yarn add [email protected] should work.

[karlphillip]

Thank you, ended up going with:
npm install [email protected] --save

[therightstuff]

#1956 resolves this by removing the credential requirement when there's no user / password supplied,

@frozeman @nivida this seems to be an issue for quite a lot of people, is there another way to work around this or do you have any comments for the PR?

[jamesmorgan]

Any ideas on how to solve this - I find it works in most browsers but safari?

[aratakokubun]

I have the same issue and can not resolve with Chrome, FireFox and Safari...

[todorone]

Unfortunately this is a blocking issue, so all versions above beta.34 are unavailable for React Native platform due to it's cookies headers resulting this error:

Can somebody proficient suggest any temporary workaround until this issue is resolved? Thanks.
@nivida @tomw1808

[barrard]

Im getting this error also :(
Fetch API cannot load https://rinkeby.infura.io/v3/xxxxxxxx due to access control checks.

[nivida]

This got fixed with PR #2564 and will be released this week.

[vanchinathans-git]

I can confirm that downgrading to v1.0.0-beta.34 fixes the issue. Both Safari and Firefox were impacted.

Thank you so much. It saved my day.

[glowkeeper]

I think I'm seeing the same issue on a MAC build of Clickz Latest, which is trying to run the following dat:

dat://795f83fa1356cd7d00e5cfe8f1a93f32c55127684c6fc4cb8ff89a32e000016b

That is a frontend to some contracts running on the Ethereum Rinkeby Test Network, so it relies on MetaMask to inject a web3.js instance that points to Rinkeby. Unfortunately, no matter what I do with MetaMask, my app' thinks it's on the Ropsten network, and I get these errors:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:8545/. (Reason: CORS request did not succeed).

I'm assuming that the reference to http://127.0.0.1:8545/ comes from web3.js, since it is not mentioned anywhere else in my code.

Interestingly, the very same dat works seamlessly on vanilla Firefox with the dat P2P protocol extension installed.

Meanwhile, what to do concerning that error using Clickz Latest? I've seen some possibilities involving XMLHttpRequest, but I can't find any docs as to how to use that when setting my web3 provider. Would it help?

[nivida]

@glowkeeper This got fixed with #3112 and will be released with 1.2.2.

[glowkeeper]

Awesome! When is 1.2.2 due for release?

[0xZick]

@nivida When is 1.2.2 due for release ?)

[glowkeeper]

@nivida - I appreciate you're probably busy, but I'm trying to work out project plans for some of my dApps, and that 1.2.2 upgrade has become an important ingredient of those plans. Any news on release dates?

[nivida]

The release is planned for Monday. I will do the last tests and improvements over the weekend and will release it in the late afternoon on Monday (CEST)

[glowkeeper]

Brilliant - thanks, @nivida

[glowkeeper]

Problems?

[glowkeeper]

Oooo - just seen the new version - awesome - thanks @nivida!