Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS headers to include 'Origin' #2894

Closed
nettaru opened this issue Nov 2, 2015 · 17 comments
Closed

CORS headers to include 'Origin' #2894

nettaru opened this issue Nov 2, 2015 · 17 comments
Assignees
Labels
Milestone

Comments

@nettaru
Copy link

@nettaru nettaru commented Nov 2, 2015

Safari is sending 'Origin' in its headers, and therefor is denied by hapi, which makes the OPTIONS request to fail and return 404:
screen shot 2015-11-02 at 15 46 10

need to add 'Origin' to the allowed headers to fix the issue:
https://github.com/hapijs/hapi/blob/master/lib/defaults.js#L86

@mtharrison
Copy link
Contributor

@mtharrison mtharrison commented Nov 2, 2015

You're making a cross origin request there. Have you enabled CORS on your /token route?

@nettaru
Copy link
Author

@nettaru nettaru commented Nov 2, 2015

yes. it's set to true on all the routes in the server configuration like so

server: {
    port: 3000
    router: {
      stripTrailingSlash: true
    }
    routes: {
      cors: true
    }
  }

@mtharrison
Copy link
Contributor

@mtharrison mtharrison commented Nov 2, 2015

Is that a Glue manifest? Are you using the latest versions of everything? The routes option is supposed to sit under a connections object:

var manifest = {
    server: {
        connections: {
            routes: {
                cors: true
            }
        }
    },
    connections: [
        ...
    ],
    plugins: [
        ...   
    ]
};

@nettaru
Copy link
Author

@nettaru nettaru commented Nov 2, 2015

not using Glue. The object above is my serverConfig object, and i'm using it like so in my app.js: server.connection(serverConfig).

I'm using hapi 11.0.2 because I'm getting the following error for 11.0.3:
screen shot 2015-11-02 at 16 37 48

@devinivy
Copy link
Member

@devinivy devinivy commented Nov 2, 2015

hapi v10 and v11 are meant to be used with node v4, which is probably the issue you've run into above! Up until 11.0.3 hapi worked on node v0.10 essentially by coincidence.

I'm curious if you're able to verify your cors issue using curl or a similar client, by checking to see that the origin header is the only difference for you between a working cors request and a failing cors request. Does adding 'origin' to cors.additionalHeaders fix your issue?

@darsee
Copy link

@darsee darsee commented Nov 2, 2015

Does adding 'origin' to cors.additionalHeaders fix your issue?

It seems to fix the issue for me.

@nettaru
Copy link
Author

@nettaru nettaru commented Nov 2, 2015

@devinivy thanks, updating node did help the terminal issue.
As for the second question - it does fix the issue. when i do the same request from chrome there is no problem since the header is different (includes only access and content-type):
screen shot 2015-11-02 at 17 12 50

@mtharrison
Copy link
Contributor

@mtharrison mtharrison commented Nov 2, 2015

This looks like a bug indeed then. Here's a minmal example to confirm the issue. Look like settings._headers needs to include origin to keep safari happy, as @nettaru said.

@primitive-type
Copy link

@primitive-type primitive-type commented Nov 2, 2015

I can confirm that the origin workaround works for me as well.

@nettaru
Copy link
Author

@nettaru nettaru commented Nov 2, 2015

ill create a PR

@nettaru
Copy link
Author

@nettaru nettaru commented Nov 3, 2015

@mtharrison @devinivy I've created the fixing PR here: #2895

@hueniverse hueniverse added the bug label Nov 3, 2015
@hueniverse hueniverse added this to the 11.0.5 milestone Nov 3, 2015
@hueniverse hueniverse self-assigned this Nov 3, 2015
@hueniverse hueniverse closed this in 47de666 Nov 3, 2015
@hueniverse
Copy link
Contributor

@hueniverse hueniverse commented Nov 3, 2015

I am not sure if this is enough but can you please test master? It will implicitly allow Origin but will not include it in the response. I don't have Safari to test it out. If you can confirm master works, I'll publish.

@mtharrison
Copy link
Contributor

@mtharrison mtharrison commented Nov 3, 2015

My example above works with master now.

@nettaru
Copy link
Author

@nettaru nettaru commented Nov 4, 2015

@hueniverse the requests works now with the hapi upgrade. thanks!

@pabx06
Copy link

@pabx06 pabx06 commented Mar 6, 2017

hello helps needed.
i have this strange behaviours: request WORKS but preflight requestion the ones with OPTIONS method does not

this a screen-cap of the problem.
since chrome is sending pre-flight request before the actual request.

hapi-options

@Marsup
Copy link
Contributor

@Marsup Marsup commented Mar 6, 2017

Which hapi version ?

@pabx06
Copy link

@pabx06 pabx06 commented Mar 7, 2017

problem solved the insomnia (https://insomnia.rest/download) was stripping out the Origin header sometimes. what a pain . then tweked out the hapi conf then worked. thanks Marsup.

i added a route with option that print the headers received. wireshark unable to listen to loopback :(

by the way i am using hapi@16.1.0

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants