Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response Headers Missing #2

Closed
Siyfion opened this issue Apr 25, 2013 · 8 comments
Closed

Response Headers Missing #2

Siyfion opened this issue Apr 25, 2013 · 8 comments

Comments

@Siyfion
Copy link
Contributor

Siyfion commented Apr 25, 2013

First off, let me just say thanks for creating a (potentially) very useful bit of middleware!

The issue I'm having is that none of the headers seem to be injected into the response at all; even though I think my configuration is correct.

I have my routes in routes.js, along with the cors middleware:

'use strict';

/**
 * Module dependencies.
 */

var cors = require('cors');

var corsOptions = {
  origin: true,
  methods: ['POST'],
  credentials: true,
  maxAge: 3600,
  enablePreflight: true
};

module.exports = function (app) {

  /**
   * Session Routes
   */
  var login = require('../routes/login');
  app.post('/api/login', cors(corsOptions), login.login);
};

Here's the request from the client:

OPTIONS /api/login HTTP/1.1
Host: label-logic-live.herokuapp.com
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://label-logic-live.herokuapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Access-Control-Request-Headers: accept, origin, content-type
Accept: */*
Referer: http://label-logic-live.herokuapp.com/user/login
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

and the response:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 25 Apr 2013 10:14:21 GMT
Etag: "4045-1366883997000"
Last-Modified: Thu, 25 Apr 2013 09:59:57 GMT
Set-Cookie: connect.sess=s%3Aj%3A%7B%7D.RZPCUBnPSt9dBV6%2FCAegqeEuY%2FlfIPlCWM%2Fm9HZS5L%2FUY4xJ9DkQXjPR%2FzN0VLheAaqlk59sgPWU%2FBgTiL9N4Q; Path=/; HttpOnly
Vary: Accept-Encoding
X-Powered-By: Express
transfer-encoding: chunked
Connection: keep-alive

And then I get a normal error in the browser console:

XMLHttpRequest cannot load https://label-logic-live.herokuapp.com/api/login. Origin http://label-logic-live.herokuapp.com is not allowed by Access-Control-Allow-Origin. /user/login:1
@Siyfion
Copy link
Contributor Author

Siyfion commented Apr 26, 2013

@troygoode Oh and I'm using the latest version of node.js and express.

troygoode added a commit that referenced this issue Apr 28, 2013
@troygoode
reproducing issue #2
b2c49ca
troygoode added a commit that referenced this issue Apr 28, 2013
@troygoode
issue #2 seems to work fine
de1b95e
@troygoode
Copy link
Member

Looks like the issue is that express requires us to manually enable OPTIONS requests (I incorrectly assumed app.GET would also receive requests with an OPTIONS method). Fix incoming.

The one part I'm still a bit confused about is that the spec says simple methods, including POST, don't require a preflight OPTIONS request - so it isn't clear to me why an OPTIONS request is even being made against your route.

troygoode added a commit that referenced this issue Apr 28, 2013
@troygoode
fix for #2
9f0e421
@Siyfion
Copy link
Contributor Author

Siyfion commented Apr 28, 2013

I did wonder if it was just that in express, app.get only gets called with a GET, not OPTIONS as well.

I think OPTIONS is being called due to the fact that the calling domain is http://... and the request is to https://...

@troygoode
Copy link
Member

That could be. After further testing it looks like the library works fine, you just have to manually apply it to both OPTIONS and POST in your case. The fix is simply to specify cors for the OPTIONS request as well, so your code would look like this:

/* snip */
app.options('/api/login', cors(corsOptions), login.login); //add this line
app.post('/api/login', cors(corsOptions), login.login);
/* snip */

I'm working on updated docs that point this out as well as a Heroku-hosted client/server example that will illustrate (and let me more easily verify) that everything is hunky-dory.

troygoode added a commit to troygoode/node-cors-client that referenced this issue Apr 28, 2013
@troygoode
verifying expressjs/cors#2
0af2285
troygoode added a commit to troygoode/node-cors-server that referenced this issue Apr 28, 2013
@troygoode
verifying expressjs/cors#2
aaca96f
@troygoode
Copy link
Member

Interactive example that verifies everything is working using your example code:

http://node-cors-client.herokuapp.com/issue-2.html

Server code:

https://github.com/TroyGoode/node-cors-server/blob/master/app.js#L45

@Siyfion
Copy link
Contributor Author

Siyfion commented Apr 28, 2013

Fantastic, thanks for the help! 👍

@Siyfion
Copy link
Contributor Author

Siyfion commented Apr 29, 2013

As you said:

The one part I'm still a bit confused about is that the spec says simple methods, including POST, don't require a preflight OPTIONS request - so it isn't clear to me why an OPTIONS request is even being made against your route.

Well, the MDN states that a preflight is only not required for a POST when the data is one of the following:
application/x-www-form-urlencoded, multipart/form-data,ortext/plain
(https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS)

@troygoode
Copy link
Member

Ahah, interesting. Thanks!

@khelkun khelkun mentioned this issue Jul 18, 2017
Closed
@JohnReyes-Dev JohnReyes-Dev mentioned this issue Sep 25, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@troygoode @Siyfion