Sunday 19 November 2017
node.js - Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?
Answer
Answer
I am trying to support CORS in my
Node.js application that uses the Express.js web framework. I have read href="http://groups.google.com/group/express-js/browse_thread/thread/71db58df2c74d06a"
rel="noreferrer">a Google group discussion about how to handle this, and
read a few articles about how CORS works. First, I did this (code is written in
CoffeeScript
syntax):
app.options
"*", (req, res) ->
res.header 'Access-Control-Allow-Origin',
'*'
res.header 'Access-Control-Allow-Credentials', true
# try:
'POST, GET, PUT, DELETE, OPTIONS'
res.header 'Access-Control-Allow-Methods',
'GET, OPTIONS'
# try: 'X-Requested-With, X-HTTP-Method-Override,
Content-Type, Accept'
res.header 'Access-Control-Allow-Headers',
'Content-Type'
#
...
It
doesn't seem to work. It seems like my browser (Chrome) is not sending the initial
OPTIONS request. When I just updated the block for the resource I need to submit a
cross-origin GET request
to:
app.get "/somethingelse",
(req, res) ->
# ...
res.header 'Access-Control-Allow-Origin',
'*'
res.header 'Access-Control-Allow-Credentials', true
res.header
'Access-Control-Allow-Methods', 'POST, GET, PUT, DELETE, OPTIONS'
res.header
'Access-Control-Allow-Headers', 'Content-Type'
#
...
It
works (in Chrome). This also works in Safari.
I
have read that...
In a browser implementing CORS, each cross-origin GET or POST request is
preceded by an OPTIONS request that checks whether the GET or POST is
OK.
So
my main question is, how come this doesn't seem to happen in my case? Why isn't my
app.options block called? Why do I need to set the headers in my main app.get
block?
Answer
To answer your main question, the CORS spec
only requires the OPTIONS call to precede the POST or GET if the POST or GET has any
non-simple content or headers in
it.
Content-Types that require a CORS pre-flight
request (the OPTIONS call) are any Content-Type except the
following:
application/x-www-form-urlencoded
multipart/form-data
text/plain
Any
other Content-Types apart from those listed above will trigger a pre-flight
request.
As for Headers, any Request Headers
apart from the following will trigger a pre-flight
request:
Accept
Accept-Language
Content-Language
Content-Type
DPR
Save-Data
Viewport-Width
Width
Any
other Request Headers will trigger the pre-flight
request.
So, you could add a custom header such
as: x-Trigger: CORS
, and that should trigger the pre-flight
request and hit the OPTIONS block.
See href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests"
rel="noreferrer">MDN Web API Reference - CORS Preflighted
requests
php - file_get_contents shows unexpected output while reading a file
I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...
-
I have an app which needs a login and a registration with SQLite. I have the database and a user can login and register. But i would like th...
-
I would like to use enhanced REP MOVSB (ERMSB) to get a high bandwidth for a custom memcpy . ERMSB was introduced with the Ivy Bridge micro...
-
According to my understanding, and my calculator, cos(90 degrees) equals 0 . In my code, I have a funct...
No comments:
Post a Comment