Skip to main content

Verifying Well Known CORS Headers

Issue

  • Specifying a homeserver using Well Known delegation but without CORS headers results in an error.

Environment

  • Element On-Premise
  • Element Cloud Offerings

Resolution

Enable CORS Headers, see enable-cors.org for instructions on how to do this. Then you can verify your .well-known files from the command line:

Note the lines access-control-allow-origin: * and content-type: application/json

  1. On Mac or Linux, using the terminal

    $ curl -i https://element.io/.well-known/matrix/client
    HTTP/2 200 
    date: Fri, 31 Jul 2020 09:11:21 GMT
    content-type: application/json
    content-length: 129
    set-cookie: __cfduid=x...; expires=Sun, 30-Aug-20 09:11:21 GMT; path=/; domain=.element.io; HttpOnly; SameSite=Lax
    access-control-allow-origin: *
    cf-cache-status: DYNAMIC
    cf-request-id: 0...
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    server: cloudflare
    cf-ray: 5...
    
    {
    	"m.homeserver": {
    		"base_url": "https://element.ems.host"
    	},
    	"m.identity_server": {
    		"base_url": "https://vector.im"
    	}
    }
    
    $ curl -i https://element.io/.well-known/matrix/server
    HTTP/2 200 
    date: Fri, 31 Jul 2020 09:11:25 GMT
    content-type: application/json
    content-length: 52
    set-cookie: __cfduid=x...; expires=Sun, 30-Aug-20 09:11:25 GMT; path=/; domain=.element.io; HttpOnly; SameSite=Lax
    access-control-allow-origin: *
    cf-cache-status: DYNAMIC
    cf-request-id: 0...
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    server: cloudflare
    cf-ray: 5...
    
    {
    	"m.server": "element.ems.host:443"
    }  
    
  2. On Windows, using PowerShell

    PS C:\Users\twilight> Invoke-WebRequest -Uri https://element.io/.well-known/matrix/client
    
    
    StatusCode        : 200
    StatusDescription : OK
    Content           : {
    						"m.homeserver": {
    							"base_url": "https://element.ems.host"
    						},
    						"m.identity_server": {
    							"base_url": "https://vector.im"
    						}
    					}
    RawContent        : HTTP/1.1 200 OK
    					Connection: keep-alive
    					Access-Control-Allow-Origin: *
    					CF-Cache-Status: DYNAMIC
    					cf-request-id: 0...
    					Expect-CT: max-age=604800, report-uri="https://repor...
    Forms             : {}
    Headers           : {[Connection, keep-alive], [Access-Control-Allow-Origin, *], [CF-Cache-Status, DYNAMIC], [cf-request-id, 0...]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : System.__ComObject
    RawContentLength  : 129
    
    
    PS C:\Users\twilight> Invoke-WebRequest -Uri https://element.io/.well-known/matrix/server
    
    
    StatusCode        : 200
    StatusDescription : OK
    Content           : {
    						"m.server": "element.ems.host:443"
    					}
    RawContent        : HTTP/1.1 200 OK
    					Connection: keep-alive
    					Access-Control-Allow-Origin: *
    					CF-Cache-Status: DYNAMIC
    					cf-request-id: 0...
    					Expect-CT: max-age=604800, report-uri="https://repor...
    Forms             : {}
    Headers           : {[Connection, keep-alive], [Access-Control-Allow-Origin, *], [CF-Cache-Status, DYNAMIC], [cf-request-id, 0...]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : System.__ComObject
    RawContentLength  : 52
    

Root Cause

Without cross-origin resource sharing, access to fetch the well known files will be blocked by CORS policy as No 'Access-Control-Allow-Origin' header is present on the requested resource.