Fighting: Access to XMLHttpRequest has been blocked by CORS policy

Just turned up a new server and installed jitsi for development.

I am getting

Access to XMLHttpRequest at ‘xxxxxxxx/http-bind’ from origin xxxxxmywebsite . com’ has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

I have been fighting this all afternoon. I have attempted the solutions that I have found but has been unsuccessful.

I have added:

cross_domain_bosh = true;

to the /etc/prosody/prosody.cfg.lua file.

Also, I checked the my and it has:
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
add_header ‘Access-Control-Allow-Origin’ ‘*’;

What else do I need to do?


I don’t quite see why you need this header, but maybe adding

add_header Access-Control-Allow-Headers ‘Content-Type’;

could help ?

I just tried that. It does not seem to make a difference.

In this case I’m stumped. When I used it - it was necessary in a dev context - that’s all that was needed. I hope that you reloaded with Ctrl F5 or something like that, of course. At this level, my next try would be to use
curl -I
to see what are the headers returned by the web server. Maybe it’s the Vary: accept-encoding that is missing ?

I put the below in my PHP file and got the OUTPUT listed:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,;
curl_setopt($ch, CURLOPT_HEADER, true);
$contents = curl_exec($ch);
echo CONTENTS:  $contents;

HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 23 Mar 2021 12:29:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: *

It works! Now point your BOSH client to this URL to connect to Prosody.

For more information see Prosody: Setting up BOSH.

well, I don’t know what I’m supposed to make out of that because I definitely don’t speak PHP so it’s unclear if your problem is solved or not.

If I run it from the linux on my webserver

I get

HTTP/1.1 404 Not Found
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 23 Mar 2021 13:04:04 GMT
Content-Length: 375
Connection: keep-alive

try to test it from a workstation; if it works there, you have some network config error on the server

It is working now. I failed to realize I needed to run the stop the start script after making the configuration changes.

Thanks for all your help!