Why does incognito mode not have CORS errors?

Incognito has no extensions running (unless explicitly allowed) and no cached session state. If CORS works in incognito, an extension in normal mode is likely the cause.

Can cookie state affect CORS?

Yes — if your CORS config uses credentials: true, the browser sends cookies. Different cookie state in incognito vs normal mode changes which requests succeed.

Why does Chrome not show CORS errors for some requests that Firefox blocks?

Chrome and Firefox implement CORS slightly differently for edge cases. Test in both browsers and fix any failures in Firefox — it is typically the stricter implementation.

CORS

Why CORS Works in Incognito But Not Normal Browser (or Vice Versa)

Updated April 2026

 Reading this article? Verify your fix in real-time. Send a live preflight from outside your browser → CORSFixer

If CORS works in incognito but fails in normal mode — or vice versa — it is almost never a CORS configuration problem. It is extensions, cached credentials, or cookie state. Here is how to diagnose each case.

Case 1 — Works in incognito, fails in normal mode

Cause: A browser extension is interfering. Ad blockers, privacy extensions, CORS unblock extensions, VPN extensions, and some password managers modify request headers or block responses.

# Diagnose
1. Open DevTools → Network tab
2. Find the failing request
3. Check Request Headers for any unusual headers added by extensions
4. Try disabling extensions one at a time
5. The one that fixes it is the problem

Common culprits: uBlock Origin (sometimes blocks tracking-related requests), Privacy Badger, CORS Unblock (can interfere when not configured), Ghostery.

Case 2 — Works in normal mode, fails in incognito

Cause: Missing credentials in incognito. Incognito has no cookies, no stored sessions, no cached auth tokens. If your API requires authentication, incognito mode will fail on any request that depends on stored credentials.

# Diagnose
# Check if the request is supposed to be authenticated
# If you see 401 or 403 in Network tab → it is an auth issue, not CORS
# The browser shows CORS error instead of 401 because it cannot read the response

Case 3 — Works in Chrome, fails in Firefox (or Safari)

Different browsers have different CORS implementations for edge cases:

Safari requires Vary: Origin when using explicit origins
Firefox is stricter about preflights for some request types
Chrome is the most permissive with CORS edge cases

Case 4 — Works locally, fails in production

# Local development
Frontend: http://localhost:3000
Backend:  http://localhost:8000
# Same host → browser may treat as same-origin in some cases

# Production
Frontend: https://yourapp.com
Backend:  https://api.yourapp.com
# Different origin → CORS required

The definitive diagnostic checklist

1. Does it work with extensions disabled? → extension issue
2. Is there a 401/403 in Network tab? → auth issue, not CORS
3. Does it fail only with credentials: include? → wildcard * issue
4. Does OPTIONS return 404? → preflight handler missing
5. Is Access-Control-Allow-Origin wrong? → server config issue

Use CORSFixer to send a live preflight to your API and see exactly what headers are returned — independent of your browser state and extensions.

Send a live preflight from outside your browser → CORSFixer