socket.io: CORS problem (No 'Access-Control-Allow-Origin') on client

Hi all,

Typically if you do have server with sockets on another domain and you do simple first line io('YOUR_HOST'), you will receive this message: XMLHttpRequest cannot load YOUR_HOSTsocket.io/?EIO=3&transport=polling&t=1446467052356-0. No 'Access-Control-Allow-Origin'...

First appeared in head, that I need to look at documentation and find out how to set it from there, but eventually I did not find anything because of pure documentation. Then I entered source code and the only 2 usages of setRequestHeader method, which is actually allow you to do that, is only for setting content-type if POST method is chosen.

Could you help me to fix this issue?

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 25 (2 by maintainers)

Most upvoted comments

I’m using cors extension for google chrome and socket.io for chat application on my nodejs+Angular2 app but it is giving follwing error. XMLHttpRequest cannot load http://localhost:8000/socket.io/?username=amit&EIO=3&transport=polling&t=LsdeeNk. The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. Origin ‘http://localhost:4200’ is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

+20
hasanraza-axovel on Aug 3, 2017

It appears that Socket.io’s definition of “origin” is somewhat different from the normal one (at least the one on MDN): Socket.io doesn’t seem to want the scheme to be included. See this block of code which checks the origin against the origins array. It looks for domain + ':' + port. So if you set your origins to be ['https://example.com:6789'], it won’t find the origin in your array. If you set origins to ['example.com:6789'], then it should work (at least it did for me when I removed the scheme).

It seems an open question to the project authors whether this constitutes a bug.

+7
turnerhayes on Jun 8, 2017

Same problem here. I’d like to allow all origins access to my socket, but also allow credentials, because I’ll authenticate clients using JSON web tokens. I can’t specify allowed origins on the server because I won’t know them in advance. Having the option to set withCredentials to false in the XHR would solve this I think.

+5
dwhieb on Apr 13, 2016

Guys,

I have tried a lot with express with no success. However, it works just fine with http.

`var server = require(“http”).createServer(onRequest); var io = require(“socket.io”)(server);

function onRequest(req,res){ res.writeHead(200, { ‘Access-Control-Allow-Origin’ : ‘*’ }); };

io.on(‘connection’, function(socket) { console.log(‘a user connected’);

socket.on('Time Ping', function(data){
	console.log("got here");
});

});

server.listen(3002, function(){ console.log(“Listening to port 3002.”); });`

+3
williampmb on Dec 13, 2016

I am a bit confused by your code. The allowed origins option goes in your socket.io server not in the client i.e. in node.js code not in browser javascript that is part of a html page. Also I usually use a wildcard on the port and you can specify multiple allowed origins, just space them out like so:

//in node.js
var app = require('express')();
var io = require('socket.io');
var server = require('http').createServer(app);
var allowedOrigins = "http://localhost:* http://127.0.0.1:*";
var path ='/stomp'; // you need this if you want to connect to something other than the default socket.io path

var sio_server = io(server, {
    origins: allowedOrigins,
    path : path
});

On the client side

var clientSocket = io({path:'/stomp'});
+3
LordMajestros on Nov 3, 2015
Read more comments on GitHub
← socket.io: Clients don't receive messages
socket.io: Don't reuse same-namespace connections →