-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CORS] Access-Control-Allow-Origin header missing #83
Comments
https://gist.github.com/Shelob9/87f9474df0f541e07383 2015-09-05 2:09 GMT-03:00 Julien Renaux notifications@github.com:
|
@romuloctba Don't you want to create a PR so everybody can benefit from this changes (if it works). |
Well, my friend, those are not changes, they are 3 diff hooks that will provide a header with the required Access-controll-allow-origin and etc for you. You should put in your functions.php or (better) wrap it into a plugin. Btw is not my code also. You could install wp-api cors available @ WordPress plugin directory, but you should not use it in production, since it allows all with *. I don't think the oAuth plugin should have anything related to CORS, since it should be used with wp-api, that should. Well, this is untested thou, so I can only hope it helps you with your problem. |
That Gist doesn't work for Oauth1 because the "rest_pre_serve_request" action doesn't get triggered for Oauth1 requests (since it's not technically a WP-API route). I wrote a plugin that tackles the CORS issues with Oauth, by plugging into The other issue you run into after fixing the CORS issues is that the Oauth1 plugin uses |
If you're thinking of using CORS to send your Client ID and Client Secret to your WP site, I suggest you reconsider and use a server call or a server proxy. Holding a Client Secret securely in client-side code is impossible. For a longer explanation, look here: http://alexbilbie.com/2014/11/oauth-and-javascript/ |
Per @coderkevin's note, you're not meant to access these directly via the client side, which is why they don't have the CORS headers. |
That depends on the auth flow you've built. In my case, only the first few steps (until the WP login step) is handled in the JS client. After that the rest of the flow is effectively handed off to a server (cloud), which then handles the remaining steps behind the scenes. This server then securely communicates with the resource and exchanges data, and the client doesn't need access to the OAuth1 tokens, keys etc, but can still benefit from the data exchange. The client thus only needs the key and secret for a short time. However this is currently not possible due to the reasons mentioned above. |
From a JS client I get the following message on
oauth1/request
:No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 400.
You might want to copy this function from the WP-API:
The text was updated successfully, but these errors were encountered: