Skip to main content

Verifying Well Known CORS Headers

Issue

  • Specifying a homeserver using Well Known delegation but without CORS headers results in an error.

Environment

  • Element On-Premise
  • Element Cloud Offerings

Resolution

Enable CORS Headers, see enable-cors.org for instructions on how to do this. Then you can verify your .well-known files from the command line:

Note the lines access-control-allow-origin: * and content-type: application/json

  1. On Mac or Linux, using the terminal

    $ curl -i https://element.io/.well-known/matrix/client
HTTP/2 200 
date: Fri, 31 Jul 2020 09:11:21 GMT
content-type: application/json
content-length: 129
set-cookie: __cfduid=x...; expires=Sun, 30-Aug-20 09:11:21 GMT; path=/; domain=.element.io; HttpOnly; SameSite=Lax
access-control-allow-origin: *
cf-cache-status: DYNAMIC
cf-request-id: 0...
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 5...

{
	"m.homeserver": {
		"base_url": "https://element.ems.host"
	},
	"m.identity_server": {
		"base_url": "https://vector.im"
	}
}

$ curl -i https://element.io/.well-known/matrix/server
HTTP/2 200 
date: Fri, 31 Jul 2020 09:11:25 GMT
content-type: application/json
content-length: 52
set-cookie: __cfduid=x...; expires=Sun, 30-Aug-20 09:11:25 GMT; path=/; domain=.element.io; HttpOnly; SameSite=Lax
access-control-allow-origin: *
cf-cache-status: DYNAMIC
cf-request-id: 0...
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 5...

{
	"m.server": "element.ems.host:443"
}

  2. On Windows, using PowerShell

    PS C:\Users\twilight> Invoke-WebRequest -Uri https://element.io/.well-known/matrix/client


StatusCode        : 200
StatusDescription : OK
Content           : {
						"m.homeserver": {
							"base_url": "https://element.ems.host"
						},
						"m.identity_server": {
							"base_url": "https://vector.im"
						}
					}
RawContent        : HTTP/1.1 200 OK
					Connection: keep-alive
					Access-Control-Allow-Origin: *
					CF-Cache-Status: DYNAMIC
					cf-request-id: 0...
					Expect-CT: max-age=604800, report-uri="https://repor...
Forms             : {}
Headers           : {[Connection, keep-alive], [Access-Control-Allow-Origin, *], [CF-Cache-Status, DYNAMIC], [cf-request-id, 0...]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 129


PS C:\Users\twilight> Invoke-WebRequest -Uri https://element.io/.well-known/matrix/server


StatusCode        : 200
StatusDescription : OK
Content           : {
						"m.server": "element.ems.host:443"
					}
RawContent        : HTTP/1.1 200 OK
					Connection: keep-alive
					Access-Control-Allow-Origin: *
					CF-Cache-Status: DYNAMIC
					cf-request-id: 0...
					Expect-CT: max-age=604800, report-uri="https://repor...
Forms             : {}
Headers           : {[Connection, keep-alive], [Access-Control-Allow-Origin, *], [CF-Cache-Status, DYNAMIC], [cf-request-id, 0...]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 52

Root Cause

Without cross-origin resource sharing, access to fetch the well known files will be blocked by CORS policy as No 'Access-Control-Allow-Origin' header is present on the requested resource.

Back to top