A possible cause of "...has been blocked by CORS policy"

A JavaScript client:

const deletePing = async () => {
    const config = {
        method: "delete"
    const response = await fetch('http://localhost:8080/cors-error-delete/resources/ping/duke', config);

reports the following error:
app.js:6 OPTIONS http://localhost:8080/cors-error-delete/resources/ping/duke and Access to fetch at 'http://localhost:8080/cors-error-delete/resources/ping/duke' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
when a preflight request automatically initiated by the browser fails with status 404.

This will happen, if a resource like:

import javax.ws.rs.DELETE;
import javax.ws.rs.Path;

public class PingResource {

    public void remove() {

exposed with:

public class JAXRSConfiguration extends Application {}    
and with installed CORS-filter:


doesn't accept path params, but the JavaScript client passes them.

In our case: DELETE http://localhost:8080/cors-error-delete/resources/ping/duke is requested, but only http://localhost:8080/cors-error-delete/resources/ping/ is offered.

See you at Web, MicroProfile and Java EE Workshops at Munich Airport, Terminal 2 or Virtual Dedicated Workshops / consulting. Is Munich's airport too far? Learn from home: airhacks.io.

Web Apps, SPA, PWA with vanilla Java Script (ES 6+), CSS 3 and WebStandards only. As simple as possible, but not simpler. See you at: (Progressive) Web apps, Single Page Apps and WebStandards airhacks workshops at MUC airport, Winter Edition

airhacks.fm the podcast:

Stay in touch: airhacks.news.


Post a Comment:
  • HTML Syntax: NOT allowed
Online Workshops
...the last 150 posts
...the last 10 comments