Request header field x-wp-nonce is not allowed (preflight response)

Getting the error Access to XMLHttpRequest at ‘example.com’ from origin ‘www.example.com’ has been blocked by CORS policy: Request header field x-wp-nonce is not allowed by Access-Control-Allow-Headers in preflight response? You should keep your URLs consistent.

Use consistent URLs to fix the CORS policy

As per the screenshot above, you can see that the CORS policy error appears once the JSON response has been requested and that the console error mentions the same domain name in both places.

In order to fix this, you should make sure your URLs are consistent, by matching the domain by prefix (www/non-www) and/or security protocol (http/https) in your code.

// using www
www.example.com

// not using www
example.com

/* Choose one and do not use both */

A quick fix would be to change your website’s site URL under WordPress Dashboard>Settings>General, to its other version (www => non-www or non-www => www). However, you should consider the negative SEO impact this may have, due to the pre-built reputation from the current domain.