Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS request did not succeed)

Hi… I am building a chatbot using rasa. I have to deploy my bot on a linux server. So I am using nginx and running rasa at the backend… i call rasa with an ajax call from my javascript file…

my rasa version is : Rasa 1.7.1

nginx version: 1.16.1

I am running rasa with the following commands:

rasa run actions

python -m rasa run --m ./models --endpoints endpoints.yml --port 5005 -vv --enable-api --cors "*"

when i hit my ip… I can use rasa perfectly… but everyone other in my lan gets the following error Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS request did not succeed).

this is my endpoint file:

    url: ""

i have tried all the solutions given in the forum but i am stuck here for days :frowning: can anyone help me with this please?

Hey @AnikaTabassum, I see that you’re already using the --cors argument. The problem still appears to be related to CORS, however. Is there a chance it might be an Nginx configuration problem? Two things I would try are:

  1. Removing Nginx and having other people access port 5005 directly to see if it works
  2. Configuring Nginx in a way that enables it to handle CORS preflight requests (maybe enable cross-origin resource sharing will help, but I haven’t tried it personally)

Thanks! I found out that my 5005 port was blocked! I enabled the port by giving these commands in the terminal:

sudo /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5005 -j ACCEPT

sudo /sbin/iptables-save

1 Like

The Same Origin Policy (SOP) is a security measure standardized among browsers. It is needed to prevent Cross-Site Request Forgery (CSRF). The “Origin” mostly refers to a “Domain”. Same Origin Policy prevents different origins (domains) from interacting with each other, to prevent attacks such as CSRF (Cross Site Request Forgery) through such requests, like AJAX. In other words, the browser would not allow any site to make a request to any other site. Without Same Origin Policy , any web page would be able to access the DOM of other pages.

This SOP (Same Origin Policy) exists because it is too easy to inject a link to a javascript file that is on a different domain. This is actually a security risk ; you really only want code that comes from the site you are on to execute and not just any code that is out there.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999