CORS raising error (correctly), but API POST succeeding

[drewbelmont]

I must be missing a basic step. I'm using allow_origin to restrict requests to my API, e.g.:

'allow_origin'=>'https://x.com',

When I call the API (e.g., from https://example.com), I see an error in the developer console:

Failed to load https://.../api/testpost: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example.com' is therefore not allowed access.

But the data is inserted into the database (this is a POST) and I get the new id back in the response.

Am I supposed to handle a CORS failure myself, and make sure to terminate the request?

[mevdschee]

Am I supposed to handle a CORS failure myself, and make sure to terminate the request?

No, AFAIK not. As I understand CORS, it is a security rule enforced by the browser.

[jledun]

I guess you simply have to add "Access-Control-Allow-Origin: *" to your http request headers.

[mevdschee]

you simply have to add "Access-Control-Allow-Origin: *" to your http request headers.

AFAIK this is a response header and not a request header.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#The_HTTP_response_headers

[drewbelmont]

Thanks for your quick response. I did a little more research and confirmed what you say, that it's the browser that enforces cross-origin restrictions. So what I'm seeing is expected CORS behavior. And you indirectly answered my question: If the request origin is not in my 'allow_origin' list, then the library will not send the Access-Control-Allow-Origin header, and the browser will block the frontend code from seeing the response. But the library does not go beyond that and kill the request. I do want to kill the request -- I don't want the data inserted if the browser blocks the response and presents an error -- so I'm killing the request in the allow_origin function and returning an error.

[mevdschee]

Thank you very much for your thorough analysis. I added a quick fix.. can you confirm that this fixes the bug?

[drewbelmont]

Works for me, thanks!