Missing token 'content-type' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel

tlaak · 2018-06-04 12:03:26 UTC

I'm using the (still experimental) AJAX endpoint for forms API and I'm getting the following error on IE11:

SEC7123: Request header content-type was not present in the Access-Control-Allow-Headers list.

and this error on Firefox:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.hsforms.com/submissions/v3/integration/submit/[id]/[guid]. (Reason: missing token 'content-type' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel).

This request works just fine in Chrome and Edge.

OPTIONS response headers has access-control-allow-headers: * set, but apparently access-control-allow-headers does not accept wildcards by the spec. The accepted headers should probably listed separately in Hubspot Forms API instead of using a wildcard.

Derek_Gervais · 2018-06-08 18:08:30 UTC

Hi @tlaak,

Thanks for bringing this to our attention. I've touched base with the team on this, and I'll update this thread when I have new information going forward.

Mitch_Rickman · 2018-06-19 00:14:23 UTC

@Derek_Gervais

Is there any word on a fix for this or a projected timeline. This is preventing us from releasing changes necessary for GDPR compliance.

Derek_Gervais · 2018-06-21 18:09:17 UTC

Hi @Mitch_Rickman,

There hasn't been a fix for this rolled out yet, but I touched base with the team and they anticipate a fix to be ready for tomorrow. I'll keep this thread updated with new info as I get it.