10 months ago
n8n community version (self-hosted) installation
Webform submit from external domain to n8n webhook
returns
Access to fetch at 'https://n8n.data-gate.ch/webhook/wingpal_register' from origin 'https://external-domain-here.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.Understand this error
?page_id=6:794
POST https://n8n.webhook-domain-here.ch/webhook/wingpal_register net::ERR_FAILED
submitForm @ ?page_id=6:794
handleRegister @ ?page_id=6:740Understand this error
?page_id=6:811 Form submission error: TypeError: Failed to fetch
at submitForm (?page_id=6:794:40)
at HTMLFormElement.handleRegister (?page_id=6:740:19)
There are many header settings in n8n that can/should be set to allow for the preflight response to permit CORS posts:
These response headers are set in the n8n webhook node:
Name: Access-Control-Allow-Origin Value: https://external-domain-here.org
Name: Access-Control-Allow-Credentials Value: true
Name: Access-Control-Allow-Methods Value: POST, OPTIONS
Name: Access-Control-Allow-Headers Value: Content-Type
Name: Content-Type Value: application/json
Some literature states that railway blocks the preflight OPTIONS conversation, so the header response never reaches the external webdomain and hence stops the transaction.
Other literature indicates that a series of env variables would need to be set on railway hosting instances:
WEBHOOK_CORS_ALLOWED_ORIGINS="https://external-web-site.org" WEBHOOK_CORS_ALLOWED_METHODS="GET,HEAD,POST,PUT,DELETE,OPTIONS" WEBHOOK_CORS_ALLOWED_HEADERS="Content-Type,Authorization,X-Requested-With,Accept" N8N_EXPRESS_TRUST_PROXY="true"
N8N_ALLOW_CREDENTIALS="true"
N8N_CORS_ORIGINS="https://external-web-site.org"
But having set them does not change the outcome.
While the header "Access-Control-Allow-Origin" seems to get through by setting this header in the n8n webhook header response, the header "Access-Control-Allow-Credentials" which should be "true" is not sent or not received.
3 Replies
10 months ago
In short: the question is:
What settings on Railway and/or n8n are required to allow for form submit from external domain with credentials: 'include'
10 months ago
Using webhook header "Access-Control-Allow-Credentials" to true should have worked in the same way as the other one worked
10 months ago
Are you using cloudflare? It could block or change preflight requests