No 'Access-Control-Allow-Origin' header is present on the requested resource

Hi guys!

Relatively new to gitea, but I’ve tried all methods I could find relevant on Google but to no avail.

So I have a react project that is trying to read data from a json file that is hosted on gitea using axios.

Here’s the error messages returned:

I have tried changing the .ini file for gitea, changing my apache settings etc.

Would appreciate if someone could enlighten me on this!

Thank you!

Apparently this exists in Gitea (Custom Access-Control-Allow-Origin header in raw data · Issue #4309 · go-gitea/gitea · GitHub) but I don’t see an explanation of how to use it.

I found a similar issue from Gogs (Access-Control-Allow-Origin · Issue #3987 · gogs/gogs · GitHub) where they mentioned ACCESS_CONTROL_ALLOW_ORIGIN so I searched the Configuration Cheatsheet (sorry can’t link to it, I’m limited to 2 links for post as a new user) and tried implement it by adding the following to /var/lib/gitea/custom/conf/app.ini:


This does not seem to resolve the issue for me (even after restarting the service: systemctl restart gitea). Has anyone had luck resolving this? Thanks!

Can you try using the [cors] section instead? I’m not sure if ACCESS_CONTROL_ALLOW_ORIGIN still works.

Equivalent to ACCESS_CONTROL_ALLOW_ORIGIN = * should just be:

ENABLED = true
#ALLOW_DOMAIN = * (this is default value so not need setting)

Thanks for the reply @jake! I thought that putting ACCESS_CONTROL_ALLOW_ORIGIN made more sense in the [cors] section than the [repository] section despite the docs, so I had actually tried that, but without much luck.

I also already had the following in custom/conf/app.ini so I was surprised I was hitting this in the first place:

ENABLED         = true

I’ve since deleted the test project that I was using when I ran into this, but I’ll follow up with more details if I can recreate the issue. Thank you for the help!

I’m still running into this unfortunately, has anyone else been able to set an ‘Access-Control-Allow-Origin’ header?

I originally thought my issue might have been the endpoint URL I was POSTing to was incorrect so it was returning a 404 page that wasn’t setting the appropriate headers. However, I can successful interact with the endpoints using a local REST client (Insomnia) and the header just doesn’t seem to be there. Any additional help would be greatly appreciated! Thank you!

Which URL are you visiting?

Thanks for following up @wxiaoguang! I’m trying to POST to the /repos/{owner}/{repo}/contents/{filepath} endpoint (Gitea API). I can do this locally using Insomnia but if I try to do it from the browser I get the following error in the console:

blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

When I check the headers in the response in Insomnia, I don’t see Access-Control-Allow-Origin no matter what changes I make to custom/conf/app.ini. I can manipulate other CORS options like X_FRAME_OPTIONS though.

Sorry it looks like I did have a typo in my endpoint URL. That was returning a 404 error without the Access-Control-Allow-Origin header as expected. As mentioned before, the only config needed in custom/conf/app.ini appears to be:

ENABLED                 = true
ALLOW_DOMAIN            = *

Thank you for the help and sorry for the confusion!

1 Like

I also just want to note that after fixing the endpoint URL I could POST successfully, but PUT and DELETE would still 404. I thought these were enabled by default looking at the docs, but that doesn’t seem to be the case. In case it helps someone, you can enable these methods (and others) in custom/conf/app.ini like: