CORS not working in Safari (but does in Chrome)

[finn753]

What is the issue?

I can't make API requests from Safari.
I've enabled all origins "*" and it perfectly works in Chrome, but Safari just throws CORS errors.
I've tried with the ollama/browser npm package and a manual fetch request, to make sure it's not the problem.
Both are failing

OS

macOS

GPU

Apple

CPU

Apple

Ollama version

0.1.32

[BruceMacD]

Hi @finn753, thanks for opening the issue. Safari has some stricter CORs policies than Chrome does. Is there any specific CORs error in the safari console? That will help narrow this one down a bit, a quick Safari CORs test worked for my specific setup.

[jzevin]

@BruceMacD I was going to post the issue, so I had done a bit of research as I don't know go but the following may help:

ollama/llm/ext_server/server.cpp

Line 2841 in 0616491

res.set_header("Access-Control-Allow-Headers", "*");

I think Safari does not accept the wildcard in Access-Control-Allow-Headers when credentials are included. Consequently, requests that explicitly set the User-Agent header are blocked due to CORS policy violations.

Proposed Solution:
Replace the wildcard in the Access-Control-Allow-Headers with an explicit list of headers. For example:

res.set_header("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, User-Agent");

Impact:
This issue prevents the application from performing authorized cross-origin requests where custom headers, particularly User-Agent, are necessary.

[BruceMacD]

Thanks for the insights @jzevin, I was able to reproduce and add a couple more headers to #4086 that will fix this.