CORS Issue


#1

Hi

My RAML document reside in different domain then my console. Added following entry in my nginx configuration…

location ~ .(ttf|ttc|otf|eot|woff|font.css|css|js|gif|png|html)$ {
expires 6h;
add_header Pragma public;
add_header Cache-Control “public”;
add_header Access-Control-Allow-Origin “*”;
add_header Access-Control-Allow-Methods: POST,GET,PUT,DELETE;
}

my request header is showing me as a OPTION rather than POST method… I don’t get any response from my api. what other changes I should make to resolve CORS issue ?

Thanks


#2

I think you need to add the OPTIONS method to Access-Control-Allow-Methods.

When using the console, if you are sending a request that has a non standard header, first it will send a OPTIONS request to ask if the header is allowed or not. If it is allowed, then your POST request will be sent


#3

Thanks for your response. Now I see when my request first hit nginx server, getting following responses in header

Access-Control-Allow-Headers:Content-Type,Accept
Access-Control-Allow-Methods:: POST,GET,PUT,DELETE,OPTIONS
Access-Control-Allow-Origin:*
Connection:keep-alive
Content-Length:0
Date:Mon, 04 May 2015 15:32:00 GMT
Server:nginx/1.8.0
Set-Cookie:JSESSIONID=app~04EFE2A61090FBF7A1B837A87C85A705; Path=/; Secure; HttpOnly

now browser is not sending back my POST request. what could be the issue ?

Thanks


#4

Which response code is the OPTIONS request returning? If it is a 403 Forbidden, it means that the headers you are sending are not allowed by your CORS configuration, you should add the “non standard” headers you are using to the “Access-Control-Allow-Headers” configuration.


#5

By Adding following headers, we were able to resolve the issue…

add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,origin,authorization,accept,client-security-token’;

Thanks