CORS Redirect is not allowed for a preflight request

Hello Everyone,
I have an OJS3.3 installation with multiple journals, each with a different domain name. We can describe the actual configuration as follow: configuration:

Apache2 VH configuration:

SetEnvIf Origin "http(s)?://(|$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header merge Vary Origin

But I’ve also tryed with a more generic ‘Header set Access-Control-Allow-Origin: “*”

When I try to make public the myjournal1 from the ‘Hosted Journals’ page:

I have the following CORS error:

Access to XMLHttpRequest at '' from origin '' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

because, despite being on domain ‘’ the request is made to domain ‘’.

My question is: shouldn’t this operation be performed on ‘
instead of link ‘’?

Also because, being on a different domain, you would have to log in twice. Maybe a bug?

Probably you need a rule like:

RewriteRule ^/(api/.*)$ /index.php/myjournal1/$1 [R=307,L]

This will rewrite the API calls preserving the parameters sent by the browser (due to the 307 HTTP status).

Can you give it a try?

Hello @janiosarmento ,
thanks for your reply. I’m not sure that the request even left the browser.

I mean, I’m on the website ‘’ ( /admin/contexts page ) and that webpage made an AJAX request to ‘’. It’s the browser itself that block the request.

The more time I spend on this, the more I think it is a bug. OJS should only generate URLs pointing to the source domain (for AJAX), or am I mistaken in some way?