http - Preflight request not being handled by apache (CORS) -

-

general:

request url:x/site.php request method:options status code:302 found remote address:x.x.x.x:80

response headers:

view source access-control-allow-headers:content-type access-control-allow-origin:* access-control-max-age:300 cache-control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 content-length:0 content-type:text/html; charset=utf-8 date:thu, 02 mar 2017 14:27:21 gmt expires:thu, 19 nov 1981 08:52:00 gmt location:y pragma:no-cache server:apache/2.4.25 (ubuntu)

request headers:

view source accept:*/* accept-encoding:gzip, deflate, sdch accept-language:en-us,en;q=0.8 access-control-request-headers:authorization access-control-request-method:post cache-control:no-cache connection:keep-alive dnt:1 host:x origin:http://127.0.0.1:3000 pragma:no-cache referer:http://127.0.0.1:3000/ user-agent:mozilla/5.0 (x11; linux x86_64) applewebkit/537.36 (khtml, gecko) chrome/54.0.2840.90 safari/537.36

apache virtualhost config looks so:

    <ifmodule mod_headers.c>            header set access-control-allow-origin "http://127.0.0.1:3000"            header set access-control-allow-origin "http://127.0.0.1"            header set access-control-max-age "300"            header set access-control-allow-credentials "true"            header set access-control-allow-headers "origin, x-requested-with, content-type, accept"            header set access-control-allow-methods "post, get, put, delete, patch, options"     </ifmodule>

the preflight request skipping apache config , hitting webapp directly, redirect (hence 302 , location: y).

i don't know why preflight request not being handled apache?

the 2 main things need change/add are:

  • use header set instead of header set
  • use mod_rewrite handle options sending 200 ok headers

so enable request in question work, here’s minimal(ish) config snippet:

header set access-control-allow-origin "*" header set access-control-allow-headers "authorization" header set access-control-allow-methods "get, options" header set access-control-expose-headers "content-security-policy, location" header set access-control-max-age "600"  rewriteengine on rewritecond %{request_method} options rewriterule ^(.*)$ $1 [r=200,l]

longer explanation @ https://benjaminhorn.io/code/setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through/

some general notes on values set various access-control- response headers:

  • access-control-allow-headers: must set include header names request sends except    cors-safelisted header names or so-called “forbidden” header names (names of headers set browser can’t set in javascript); the spec alternatively allows * wildcard value—so can try someday, no browser supports yet: chrome bug, firefox bug, safari bug

  • access-control-allow-methods: the spec alternatively allows * wildcard—but again, access-control-allow-headers: *, no browsers support yet

  • access-control-expose-headers: must set include response headers client code needs read beyond cache-control,content-language,content-type, expires, last-modified , pragma—which exposed default (a lot of people forget set , end baffled why can’t read value of particular response header); again the spec alternatively allows * wildcard here, no browsers support yet

  • access-control-max-age: chrome has upper limit of 600 (10 minutes) hardcoded, there’s no point in setting higher value (firefox may respect it, chrome throttle down 10 minutes if set higher, , safari limits 5 minutes)

so then, particular request shown in question, here specific notes:

  • your request has access-control-request-headers:authorization in apache config, add authorization in access-control-allow-headers response header too.

  • origin “forbidden” header name set browser, , accept cors-safelisted header name, don’t need include them in access-control-allow-headers

  • your request sends no content-type, isn’t needed in access-control-allow-headers in response (and never needed get requests , otherwise needed if type other application/x-www-form-urlencoded, text/plain, or multipart/form-data)

  • for access-control-allow-methods, request seems get, unless plan make post/put/delete/patch requests, no point in explicitly including them


Comments

Post a Comment

Popular posts from this blog

ios - MKAnnotationView layer is not of expected type: MKLayer -

-
Image
so code works fine logger riddled message. there way rid of or suppress it? postannotation.swift class postannotation: mkpointannotation { //mark: properties let post: post //mark: initialization init(post: post) { self.post = post super.init() self.coordinate = cllocationcoordinate2d(latitude: post.latitude, longitude: post.longitude) self.title = post.title self.subtitle = post.timestring() } } adding annotation let annotation = postannotation(post: post) self.map.addannotation(annotation) func mapview func mapview(_ mapview: mkmapview, viewfor annotation: mkannotation) -> mkannotationview? { if annotation mkuserlocation { return nil } var annotationview = mapview.dequeuereusableannotationview(withidentifier: "pin") as? mkpinannotationview if annotationview == nil { annotationview = mkpinannotationview(annotation: annotation, reuseidentifier: "pin")
Read more

ZeroMQ on Windows, with Qt Creator -

-
i have installed zmq link given below on windows 7. http://zeromq.org/distro:microsoft-windows 1) have c++ project in qt-creator , i'm using zmq c++ binding (zhelpers.hpp etc). 2) have added .lib installed zmq folder qtcreator 3) while compiling, compiler looks _imp__zmq_verion, in .dll files present in .lib have __imp_zmq_version. 4) causing undefined reference zmq_version. anyone else faced problem , has solution ?
Read more

unity3d - Unity SceneManager.LoadScene quits application -

-
i have 2 different scenes 1 named 'main' , other 'game' both added scenes in load. when use scenemanager.loadscene("game"); works no problem when tried return main scene code if (input.getkeydown (keycode.escape)) { scenemanager.loadscene("main"); } strangely game quits. thanks. sorry interruption. somewhere on other script found code. if (input.getkeydown (keycode.escape)) { application.quit (); } that's bad, know...
Read more