Missing token 'content-type' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel


I'm using the (still experimental) AJAX endpoint for forms API and I'm getting the following error on IE11:

SEC7123: Request header content-type was not present in the Access-Control-Allow-Headers list.

and this error on Firefox:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.hsforms.com/submissions/v3/integration/submit/[id]/[guid]. (Reason: missing token 'content-type' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel).

This request works just fine in Chrome and Edge.

OPTIONS response headers has access-control-allow-headers: * set, but apparently access-control-allow-headers does not accept wildcards by the spec. The accepted headers should probably listed separately in Hubspot Forms API instead of using a wildcard.

Forms AJAX Submission Endpoint

Hi @tlaak,

Thanks for bringing this to our attention. I've touched base with the team on this, and I'll update this thread when I have new information going forward.



Is there any word on a fix for this or a projected timeline. This is preventing us from releasing changes necessary for GDPR compliance.


Hi @Mitch_Rickman,

There hasn't been a fix for this rolled out yet, but I touched base with the team and they anticipate a fix to be ready for tomorrow. I'll keep this thread updated with new info as I get it.


Thanks it was very help full for me. thanks again