JavaScript follows the same-origin policy, which means that a page from www.example.com can only make AJAX requests to exactly the same domain (www.example.com).
Requests to example.com (without "www") or sub.example.com will be blocked unless the target server explicitly allows them.
www.somesite.com. While they seem similar, they are considered different domains.For cross-origin requests to work, the target server (http://somesite.com) must include the Access-Control-Allow-Origin header in its response. Since this header is missing, the browser blocks the request, resulting in a CORS error.
http://somesite.com and http://www.somesite.com are considered different domains because web browsers treat subdomains as separate origins.
Here’s why:
"www" is a subdomain
somesite.com → Root domain
www.somesite.com → Subdomain of somesite.com
Same-Origin Policy (SOP) Restriction
The protocol (http/https), domain, and port must match exactly for the browser to consider them the same origin.
Since www.somesite.com is technically different from somesite.com, browser blocks cross-origin AJAX requests unless the server explicitly allows them via CORS headers.
To fix this issue, use below options -
Your issue might simply be a typo. If http://somesite.com and http://www.somesite.com are actually the same server, make sure your AJAX request uses the same format as your page’s URL.
Sometimes, CORS errors happen because of minor URL mistakes, such as:
Double-check your URLs to ensure they match exactly.
If your target server is intentionally different from the origin (e.g., an API on another domain), you'll need to modify its settings:
Access-Control-Allow-Origin: *
(Or replace * with a specific domain, like http://www.somesite.com.)
To Fix CORS Errors in Django - be aware that Django does not allow cross-origin requests by default.
To enable CORS, follow these steps:
django-cors-headersRun the following command to install the package:
pip install django-cors-headers
INSTALLED_APPS in settings.pyIn your Django settings file (settings.py), add 'corsheaders' to INSTALLED_APPS:
INSTALLED_APPS = [
...
'corsheaders',
...
]
Now, add 'corsheaders.middleware.CorsMiddleware' above 'django.middleware.common.CommonMiddleware':
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
...
]
Allow All Domains (Not Recommended for Production)
Warning: This is not secure and should only be used for testing.
If you want to allow requests from any origin, set:
CORS_ALLOW_ALL_ORIGINS = True # Previously CORS_ORIGIN_ALLOW_ALL
If you want to allow only certain domains, use below.
This ensures that only somesite.com and www.somesite.com can make cross-origin requests.
CORS_ALLOWED_ORIGINS = [
"http://www.somesite.com",
"http://somesite.com",
]
By default, Django allows only GET requests. If you need POST, PUT, or DELETE, specify them:
CORS_ALLOW_METHODS = [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE",
"OPTIONS",
]
If your request includes custom headers, you must allow them:
CORS_ALLOW_HEADERS = [
"content-type",
"authorization",
"x-requested-with",
]
Once the changes are made, restart the server:
python manage.py runserver
If you're still facing CORS issues, check if your frontend is making requests to the correct domain (e.g., www.somesite.com vs. somesite.com).
Ensure that the Django server isn't blocking requests due to CSRF protection (use csrf_exempt for testing, but handle CSRF properly in production).
If using Django with a reverse proxy (e.g., Nginx or Apache), make sure the proxy isn’t stripping CORS headers.