# Verifying Well Known CORS Headers

# Issue
- Specifying a homeserver using Well Known delegation but without CORS headers results in an error.

<center>
  
[![](https://ems-docs.element.io/uploads/images/gallery/2023-04/scaled-1680-/image-1681212695337.png)](https://ems-docs.element.io/uploads/images/gallery/2023-04/image-1681212695337.png)
  
</center>

# Environment
- Element On-Premise
- Element Cloud Offerings

# Resolution

Enable CORS Headers, see [enable-cors.org](https://enable-cors.org/) for instructions on how to do this. Then you can verify your `.well-known` files from the command line:

Note the lines `access-control-allow-origin: *` and `content-type: application/json`

1. On Mac or Linux, using the `terminal`  

	```bash
	$ curl -i https://element.io/.well-known/matrix/client
	HTTP/2 200 
	date: Fri, 31 Jul 2020 09:11:21 GMT
	content-type: application/json
	content-length: 129
	set-cookie: __cfduid=x...; expires=Sun, 30-Aug-20 09:11:21 GMT; path=/; domain=.element.io; HttpOnly; SameSite=Lax
	access-control-allow-origin: *
	cf-cache-status: DYNAMIC
	cf-request-id: 0...
	expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
	server: cloudflare
	cf-ray: 5...

	{
		"m.homeserver": {
			"base_url": "https://element.ems.host"
		},
		"m.identity_server": {
			"base_url": "https://vector.im"
		}
	}

	$ curl -i https://element.io/.well-known/matrix/server
	HTTP/2 200 
	date: Fri, 31 Jul 2020 09:11:25 GMT
	content-type: application/json
	content-length: 52
	set-cookie: __cfduid=x...; expires=Sun, 30-Aug-20 09:11:25 GMT; path=/; domain=.element.io; HttpOnly; SameSite=Lax
	access-control-allow-origin: *
	cf-cache-status: DYNAMIC
	cf-request-id: 0...
	expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
	server: cloudflare
	cf-ray: 5...

	{
		"m.server": "element.ems.host:443"
	}  
	```

2. On Windows, using `PowerShell`  

	```powershell
	PS C:\Users\twilight> Invoke-WebRequest -Uri https://element.io/.well-known/matrix/client


	StatusCode        : 200
	StatusDescription : OK
	Content           : {
							"m.homeserver": {
								"base_url": "https://element.ems.host"
							},
							"m.identity_server": {
								"base_url": "https://vector.im"
							}
						}
	RawContent        : HTTP/1.1 200 OK
						Connection: keep-alive
						Access-Control-Allow-Origin: *
						CF-Cache-Status: DYNAMIC
						cf-request-id: 0...
						Expect-CT: max-age=604800, report-uri="https://repor...
	Forms             : {}
	Headers           : {[Connection, keep-alive], [Access-Control-Allow-Origin, *], [CF-Cache-Status, DYNAMIC], [cf-request-id, 0...]...}
	Images            : {}
	InputFields       : {}
	Links             : {}
	ParsedHtml        : System.__ComObject
	RawContentLength  : 129


	PS C:\Users\twilight> Invoke-WebRequest -Uri https://element.io/.well-known/matrix/server


	StatusCode        : 200
	StatusDescription : OK
	Content           : {
							"m.server": "element.ems.host:443"
						}
	RawContent        : HTTP/1.1 200 OK
						Connection: keep-alive
						Access-Control-Allow-Origin: *
						CF-Cache-Status: DYNAMIC
						cf-request-id: 0...
						Expect-CT: max-age=604800, report-uri="https://repor...
	Forms             : {}
	Headers           : {[Connection, keep-alive], [Access-Control-Allow-Origin, *], [CF-Cache-Status, DYNAMIC], [cf-request-id, 0...]...}
	Images            : {}
	InputFields       : {}
	Links             : {}
	ParsedHtml        : System.__ComObject
	RawContentLength  : 52
	```

# Root Cause
Without cross-origin resource sharing, access to fetch the well known files will be blocked by CORS policy as `No 'Access-Control-Allow-Origin' header is present on the requested resource`.