Cross origin domain error on requesting a login token

[dustinkerstein]

When I try to use a non-Heroku domain I receive this error:

Failed to send the token to XYZ: Cross origin requests not allowed.

Even though this domain is listed in the "Allowed addresses" section.

[wrr]

Are you maybe using some kind of HTTP proxy that modifies requests headers?

Could you open the Network tab of the debug console in Chrome browser, request a token and see what headers are sent with the send-token/ HTTP POST? In particular the Origin and Host header should have the same domain.

[dustinkerstein]

I'm using CloudFlare so that's entirely possible. I'll look into those headers later today.

[wrr]

With CloudFlare, if you use HTTPS to contact CloudFlare, but have CloudFlare configured to talk to Heroku via plain HTTP it could perhaps cause such failure (haven't tested this though).

[dustinkerstein]

I don't believe I can control how Cloudflare communicates to my origin. Can you think of any way to debug this? Thanks.

[wrr]

You can control it: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-mean-
Do you have Flexible SSL enabled? In such case traffic between Cloudflare and Heroku is not encrypted.

[dustinkerstein]

Ah, good stuff. Yeah, I'm using the Flexible SSL which isn't encrypted to my server. Think that's what's causing issues?

[wrr]

Yes, it can be, do you have a way to test the Full SSL option?

[dustinkerstein]

Not easily at the moment. The Flexible SSL kind of does exactly what I need and is a lot cheaper (ie. free) compared to a full SSL setup. I can certainly live with having to use the direct Heroku URL for now.