nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

CORS preflight for is randomly returning status code 400 (bad request)

bananasareyellow

It's difficult to reliably view preflight (OPTIONS) calls in Chrome or Firefox, so I installed Fiddler to see what's going on.

Find more posts tagged with

API

Comments

bananasareyellow

Sorry, I accidentally posted that before I'd finished writing. Is there no way to edit posts? Anyway, here is the complete post.

—

It's difficult to reliably view preflight (OPTIONS) calls in Chrome or Firefox DevTools, so I installed Fiddler to see what's going on. I turned on Disable cache in DevTools, to make sure preflight calls are not being cached, so I can see them all.

The problem occurs with files/download, but it occurs randomly. A lot of the time, the download completes with no error, but sometimes there is a CORS error, which I believe is due to the OPTIONS preflight request failing. The errors do not occur with the same file each time I run. They are seemingly random. They succeed about 80% of the time, and fail about 20% of the time.

I am using GET so that I can use If-None-Match with an etag. Here is an example of the preflight error:

OPTIONS https://content.dropboxapi.com/2/files/download HTTP/2
host: content.dropboxapi.com
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization,dropbox-api-arg
origin: https://localhost:5001
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
referer: https://localhost:5001/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
priority: u=1, i

HTTP/2 400
cache-control: no-cache
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-expose-headers: Accept-Ranges, Content-Range, ETag, Dropbox-API-Result, X-Dropbox-Request-Id, X-Dropbox-Trace-Id, grpc-status, grpc-message, grpc-encoding, grpc-accept-encoding, grpc-status-details-bin, trailer
content-type: text/plain; charset=utf-8
content-length: 92
date: Tue, 23 Jun 2026 15:45:59 GMT
server: envoy
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-robots-tag: noindex, nofollow, noimageindex
x-dropbox-response-origin: remote
x-dropbox-request-id: 0d15bfd82e6147d480ef4a326a3aaa37

Error in call to API function "files/download": Use HTTP POST requests to access Dropbox API

The message says to use POST and not GET, but the documentation for files/download says you can use either. See Content-download endpoints in the documentation.

In any case, I tried again with POST and I still randomly get the same error:

OPTIONS https://content.dropboxapi.com/2/files/download HTTP/2
host: content.dropboxapi.com
pragma: no-cache
cache-control: no-cache
accept: */*
access-control-request-method: POST
access-control-request-headers: authorization,dropbox-api-arg
origin: https://localhost:5001
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
referer: https://localhost:5001/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
priority: u=1, i

HTTP/2 400
x-content-type-options: nosniff
cache-control: no-cache
access-control-allow-origin: *
access-control-expose-headers: Accept-Ranges, Content-Range, ETag, Dropbox-API-Result, X-Dropbox-Request-Id, X-Dropbox-Trace-Id, grpc-status, grpc-message, grpc-encoding, grpc-accept-encoding, grpc-status-details-bin, trailer
content-type: text/plain; charset=utf-8
content-length: 92
date: Tue, 23 Jun 2026 16:03:39 GMT
server: envoy
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-robots-tag: noindex, nofollow, noimageindex
x-dropbox-response-origin: remote
x-dropbox-request-id: 0f0e045e40764bd7b5cbd7846a3aae5b

Error in call to API function "files/download": Use HTTP POST requests to access Dropbox API

Notice that it still complains that POST should be used, even though the OPTIONS request has access-control-request-method: POST.

I am making REST HTTP calls from the browser (Blazor WebAssembly). I am not using any Dropbox SDK.

Am I doing something wrong?

bananasareyellow

The title should say: CORS preflight for "files/download" is randomly returning status code 400 (bad request). It is annoying that you can't edit the title or contents of your own post.

bananasareyellow

The problem occurs with Chrome, Brave, and Firefox.

bananasareyellow

The problem only seems to occur with content.dropboxapi.com. I make many API requests to api.dropboxapi.com without any errors.

As described in the documentation, I tried changing the files/download call to be a simple cross-site request to avoid preflight requests. But I still get random CORS errors. For each error, the problem seems to be that Access-Control-Allow-Origin: * is missing from the response header.

3dlook_dev

Hi,

I have the same problem: https://content.dropboxapi.com/2/files/download API randomly includes in the response headers Access-Control-Allow-Origin: *, and responses without this header fail with CORS error. Sometimes the response includes Access-Control-Allow-Origin header, and then everything works fine, but most of the time it does not do that.

Greg-DB

Thanks for the report. We're looking into it and will follow up here once we have an update.