Debugging CORS Issue with Lea Verou


CORS (Cross-Origin Resource Sharing) is a mechanism that allows web pages to access resources from other domains. However, CORS can be annoying and can consume several hours, as it can be difficult to debug CORS issues.

This article is about debugging a CORS issue with Lea Verou. Lea is a front-end web developer, speaker, and author. She is an elected participant in the World Wide Web Consortium (W3C) Technical Architecture Group (TAG), and an Invited Expert in the W3C CSS Working Group. She is the author of CSS Secrets and has given numerous talks on CSS & Web Standards.

Lea’s dev setup

Lea was building the Mavo framework – A new way to build web applications. To fasten the development & testing cycles, she used Requestly to load local scripts from the local/dev server directly on Mavo apps.

She created a Replace Rule in Requestly to load the Mavo assets from the local development server. Here’s a quick screenshot of the rule she used —

This was such a useful setup to her that in fact, she once tweeted that Requestly is her most essential tool after the IDE & browser.

After some time, she started facing CORS Issues with this setup and she was unable to load local assets anymore. Her development process got broken 😟

Reproducing the CORS Issue (CodePen & Redirect Rule)

Fortunately, she could reproduce the CORS issue with a Codepen where she injected a script hosted on Github projects and used the Requestly redirect rule to load the script from the local development server. We could see the CORS errors in the browser console.

👉 Here’s a link to the Codepen she created & the screenshot

Codepen – Inject script from Github Projects

👉 Here’s a link to the Requestly Redirect Rule & the screenshot

Requestly Redirect Rule – Redirects Remote Script to Local development script

This codepen and redirect rule helped us get the CORS Issue consistently so now it was the time to fiddle with HTTP CORS headers and try to fix the issue.

Using Requestly to modify HTTP CORS Headers

You can use Requestly to add, remove or override requests as well as response headers. There are typically 4 Access-Control-Allow-* response headers viz

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Credentials

Since the error in the browser console was specifically about the origin, We used the Requestly Modify Headers rule to override the value of the Access-Control-Allow-Origin header.

👉 Here’s a link to the headers rule& the screenshot of the rule

Modify Headers Rule – Upsert Access-Control-Allow-Origin header

With this solution, we were pretty much confident that it should solve the issue but to our surprise we found a weird bug in Chrome.

Chrome Bug

But to our delight, the same solution worked in Firefox. (Yes, Requestly is available on Firefox and can be downloaded from

Working fine in Firefox

This was quite an interesting live debugging session. Both of us learned quite a bit about CORS & the browsers. I hope this helps and could help you troubleshoot the CORS Issue faster next time.



CORS is very annoying but you can use Requestly to not just solve CORS Issues but it is a complete solution for frontend developers to save critical dev hours. If you’d like to know more about CORS, check out What is CORS & how to solve CORS errors. Also, check out how Postman Web Client handles CORS issues.

Share this article:

This article was written by:

Picture of Sagar Soni

Sagar Soni

Sagar is the co-founder and CTO of Requestly. When he's not busy architecting the next big thing in software development, you'll likely find him behind the wheel, cruising the streets and enjoying the thrill of the drive. For Sagar, it's all about the code by day and the open road by night.