Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS raising error (correctly), but API POST succeeding #361

Closed
drewbelmont opened this issue Mar 30, 2018 · 6 comments
Closed

CORS raising error (correctly), but API POST succeeding #361

drewbelmont opened this issue Mar 30, 2018 · 6 comments
Assignees
@mevdschee
Labels
bug

Comments

@drewbelmont
Copy link

I must be missing a basic step. I'm using allow_origin to restrict requests to my API, e.g.:

'allow_origin'=>'https://x.com',

When I call the API (e.g., from https://example.com), I see an error in the developer console:

Failed to load https://.../api/testpost: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example.com' is therefore not allowed access.

But the data is inserted into the database (this is a POST) and I get the new id back in the response.

Am I supposed to handle a CORS failure myself, and make sure to terminate the request?
@mevdschee
Copy link
Owner

Am I supposed to handle a CORS failure myself, and make sure to terminate the request?

No, AFAIK not. As I understand CORS, it is a security rule enforced by the browser.

@mevdschee mevdschee self-assigned this Mar 30, 2018
@jledun
Copy link

jledun commented Mar 31, 2018

I guess you simply have to add "Access-Control-Allow-Origin: *" to your http request headers.

@mevdschee
Copy link
Owner

mevdschee commented Mar 31, 2018
edited

you simply have to add "Access-Control-Allow-Origin: *" to your http request headers.

AFAIK this is a response header and not a request header.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#The_HTTP_response_headers

@drewbelmont
Copy link
Author

Thanks for your quick response. I did a little more research and confirmed what you say, that it's the browser that enforces cross-origin restrictions. So what I'm seeing is expected CORS behavior. And you indirectly answered my question: If the request origin is not in my 'allow_origin' list, then the library will not send the Access-Control-Allow-Origin header, and the browser will block the frontend code from seeing the response. But the library does not go beyond that and kill the request. I do want to kill the request -- I don't want the data inserted if the browser blocks the response and presents an error -- so I'm killing the request in the allow_origin function and returning an error.

@mevdschee mevdschee added bug and removed question labels Apr 1, 2018
mevdschee added a commit that referenced this issue Apr 1, 2018
@mevdschee
Fix for #361
ffeb84d
mevdschee added a commit that referenced this issue Apr 1, 2018
@mevdschee
Fix for #361
e554921
@mevdschee
Copy link
Owner

Thank you very much for your thorough analysis. I added a quick fix.. can you confirm that this fixes the bug?

@drewbelmont
Copy link
Author

Works for me, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mevdschee mevdschee

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drewbelmont @mevdschee @jledun