Paypal-checkout-components: XMLHttpRequest from origin 'https://www.paypal.com' has been blocked by CORS policy (multiple values)

Created on 30 Mar 2019  路  14Comments  路  Source: paypal/paypal-checkout-components

Description

Chrome console:

_"Access to XMLHttpRequest at 'https://www.paypalobjects.com/js/xo/hermes/1.9.0/framework-code-split.js' from origin 'https://www.paypal.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed."_

Steps to reproduce

Try to checkout with iframe-modal in standalone PWA. Clicking on the Paypal-Button the spinner doesn't disappear - PayPal Guest Checkout works.

Affected browsers

  • [ x] Chrome/standalone PWA
  • [ ] Other?
馃悶 bug
Source
picture janwol

Most helpful comment

There's a push that should be going out today to resolve the issues with that file. Will update this thread.

picture bluepnume on 2 Apr 2019
👍3

All 14 comments

I get this same error. See https://stackoverflow.com/questions/55450259/cors-and-createpayment-errors-for-paypal-standard

Everything works fine on sandbox but on wordpress with woocommerce going from checkout to paypal login I get the same CORS issue and trying to continue to do payment I get createPayment error with all payment methods, including preloaded balance so isn't a card issue. ( one live attempt paypal debug id error d868467ddb59c). Same on Edge, Chrome and Firefox. I have tried two wordpress sites same issue, both work on sandbox but not live.

edindubai picture edindubai on 1 Apr 2019

The cause is that https://www.paypalobjects.com/js/xo/hermes/1.9.0/framework-code-split.js is sending two access-control-allow-origin: * response headers in the response:

curl -i -H "https://www.paypal.com/" \
    https://www.paypalobjects.com/js/xo/hermes/1.9.0/framework-code-split.js

server: Apache
last-modified: Mon, 15 Oct 2018 18:02:29 GMT
content-type: application/x-javascript
x-pad: avoid browser bug
cache-control: max-age=7776000
expires: Mon, 01 Jul 2019 00:53:50 GMT
date: Tue, 02 Apr 2019 00:53:50 GMT
access-control-allow-methods: GET
access-control-allow-headers: x-csrf-token
access-control-allow-origin: *
access-control-allow-headers: x-csrf-token
access-control-allow-methods: GET
access-control-allow-origin: *
vary: Accept-Encoding
x-content-type-options: nosniff
strict-transport-security: max-age=31536000

That鈥檚 exactly what鈥檚 causing the browser to fail and to report that _鈥淭he 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed."鈥漘 error message.

So that server is misconfigured, and needs to be reconfigured to send only one access-control-allow-origin: * response header.

sideshowbarker picture sideshowbarker on 2 Apr 2019
👍3

There's a push that should be going out today to resolve the issues with that file. Will update this thread.

bluepnume picture bluepnume on 2 Apr 2019
👍3

Should be released. Please let me know if you still see the issue.

bluepnume picture bluepnume on 5 Apr 2019

Anybody get the solution for this problem?

FelipeNunes04 picture FelipeNunes04 on 5 Apr 2019

I'm using paypal in my webview android, but i get this problem, he 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'https://www.paypal.com' is therefore not allowed access."

FelipeNunes04 picture FelipeNunes04 on 5 Apr 2019

Still getting duplicated headers..

janwol picture janwol on 5 Apr 2019

Still see the same error as before:

Edge:
SEC7128: [CORS] The origin 'https://www.paypal.com' found multiple Access-Control-Allow-Origin response headers for cross-origin resource at 'https://www.paypalobjects.com/js/xo/hermes/1.9.0/framework-code-split.js'.

Chrome:
Access to XMLHttpRequest at 'https://www.paypalobjects.com/js/xo/hermes/1.9.0/framework-code-split.js' from origin 'https://www.paypal.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

Dubaidogfish picture Dubaidogfish on 6 Apr 2019
👍1

I'm also having the same problem, seems like the fix didnt work 馃様 @bluepnume
if I just continue with the checkout and try to complete the purchase nothing keeps happening when I hit the pay now button. In my chrome dev tools I see this tho:

Failed to load resource: the server responded with a status of 400 () https://www.paypal.com/webapps/hermes/api/checkout/91L22265FX768934B/session/createPayment

also I can see that something with an object that is being passed around, Im not sure what is tho, is not right:

windowload_timeout_setting
Object

client_elapsed: 15

event: "windowload_timeout_setting"

level: "info"

pageID: "132fefba"

req_elapsed: 4595

state: "pre_bootstrap"

throttle: 0

timeout: 20000

timestamp: "Sat Apr 06 2019 15:06:22 GMT+0200 (CEST)"

token: "91L22265FX768934B"

Object Prototyp

__defineGetter__(propertyName, getterFunction)

__defineSetter__(propertyName, setterFunction)

__lookupGetter__(propertyName)

__lookupSetter__(propertyName)

constructor: function()

arguments: TypeError: 'arguments', 'callee', and 'caller' cannot be accessed in this context.

assign(target, ...sources)

caller: TypeError: 'arguments', 'callee', and 'caller' cannot be accessed in this context.

create(prototype, [propertiesObject])

defineProperties(object, properties)

defineProperty(object, propertyName, descriptor)

entries()

freeze(object)

fromEntries()

getOwnPropertyDescriptor(object, propertyName)

getOwnPropertyDescriptors()

getOwnPropertyNames(object)

getOwnPropertySymbols(object)

getPrototypeOf(object)

is(value1, value2)

isExtensible(object)

isFrozen(object)

isSealed(object)

keys(object)

length: 1

name: "Object"

preventExtensions(object)

prototype: {}

seal(object)

setPrototypeOf(object, prototype)

values()

Function Prototyp

hasOwnProperty(propertyName)

isPrototypeOf(property)

propertyIsEnumerable(propertyName)

toLocaleString()

toString()

valueOf()

I dont know what this is supposed to be TypeError: 'arguments', 'callee', and 'caller' cannot be accessed in this context.

maybe its all related ? because of the access-control-allow-origin: *, * the checkout doesnt finish?

b101 picture b101 on 6 Apr 2019
👍1

still get this problem

wanlerong picture wanlerong on 15 Apr 2019

const express=require('express');
const paypal=require('paypal-rest-sdk');
const bodyParser=require('body-parser');
const http = require('http');
const app=express();
var cors = require('cors')

app.use(cors()) // Use this after the variable declaration

app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET,HEAD,OPTIONS,POST,PUT,DELETE");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, X-Tableau-Auth");
next();
});
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
extended: false
}));

app.set('port', 6679);
var server = http.createServer(app);
server.listen(6679, () => {
console.log("server started running");
})

app.post('/pays',(req,res)=>{

console.log("Into Payment Method")
paypal.configure({
    'mode': 'sandbox', 
    'client_id': 'sss',
    'client_secret': 's-s-s'
  });

var payReq = JSON.stringify({
'intent':'sale',
'redirect_urls':{
'return_url':'http://localhost:3451/process',
'cancel_url':'http://localhost:3451/cancel'
},
'payer':{
'payment_method':'paypal'
},
'transactions':[{
'amount':{
'total':'7.47',
'currency':'USD'
},
'description':'This is the payment transaction description.'
}]
});

paypal.payment.create(payReq, function(error, payment){
    if(error){
        console.error(error);
    } else {
        //capture HATEOAS links
        var links = {};
        payment.links.forEach(function(linkObj){
            links[linkObj.rel] = {
                'href': linkObj.href,
                'method': linkObj.method
            };
        })

        //if redirect url present, redirect user
        if (links.hasOwnProperty('approval_url')){
            res.redirect(links['approval_url'].href);
        } else {
            console.error('no redirect URI present');
        }
    }
});

app.get('/process', function(req, res){
var paymentId = req.query.paymentId;
var payerId = { 'payer_id': req.query.PayerID };

    paypal.payment.execute(paymentId, payerId, function(error, payment){
        if(error){
            console.error(error);
        } else {
            if (payment.state == 'approved'){ 
                res.send('payment completed successfully');
            } else {
                res.send('payment not successful');
            }
        }
    });
});

})

This is my code

I am getting this error

Access to XMLHttpRequest at 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-3A944228K1846335N' (redirected from 'http://localhost:6679/pays') from origin 'http://localhost:3451' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Stuck from a long time

CodingStrikers picture CodingStrikers on 26 Jun 2020

This issue still exists and seems there is an issue with origin policy from PayPal.
I am able to reproduce it when using sandbox mode not tested for live mode.
@bluepnume

Kamlesh-sh picture Kamlesh-sh on 5 Jul 2020

I also still get this issue using Firefox 79.0. I tried to disable tracking protection but it does not change anything. Requests fail because of CORS. It seems I simply cannot use Paypal anymore. :clap:

oliwer picture oliwer on 2 Aug 2020

Getting this issue on some pages but not all.

MGParisi picture MGParisi on 23 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JeromeDeLeon picture JeromeDeLeon  路  4Comments
Soulpancake000 picture Soulpancake000  路  5Comments
JDevjs picture JDevjs  路  6Comments
gastonyelmini picture gastonyelmini  路  3Comments
VivekVikranth picture VivekVikranth  路  6Comments