Access from origin ‘’ has been blocked even though I’ve allowed

TL;DR is not an origin. Drop that trailing slash.

More details about the problem

No trailing slash allowed in the value of the Origin header

According to the CORS protocol (specified in the Fetch standard), browsers never set the Origin request header to a value with a trailing slash. Therefore, if a page at issues a cross-origin request, that request’s Origin header will contain

without any trailing slash.

Byte-by-byte comparison on the server side

You’re using Socket.IO, which relies on the Node.js cors package. That package won’t set any Access-Control-Allow-Origin in the response if the request’s origin doesn’t exactly match your CORS configuration’s origin value (

Putting it all together


'' ===

evaluates to false, which causes the cors package not to set any Access-Control-Allow-Origin header in the response, which causes the CORS check to fail in your browser, hence the CORS error you observed.

Example from the Fetch Standard

Section 3.2.5 of the Fetch Standard even provides an enlightening example of this mistake,

Access-Control-Allow-Origin: https://rabbit.invalid/

and explains why it causes the CORS check to fail:

A serialized origin has no trailing slash.

Leave a Comment