ajax get request to Office365 REST Api fails CORS?

Question

I'm attempting to make an ajax GET request to the Office365 RESTful API service from my local server, but am running into cross-domain HTTPRequest errors. The following is a sample of my 'get-files-at-root' attempt:

$.ajax({
  url: 'https://[sharepoint_site]/_api/v1.0/me/files?access_token='+token,
  type: 'get',
  dataType: 'json',
  success: function(data) {
    if (success){
      success(data);
    }
  },
  error: error
})

I'm getting the following response from the server:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 403.

I've tried sending the access token as a header parameter:

headers: {'Authorization': 'Bearer '+ token}

but this had the same result.

Any ideas on what I'm doing wrong?

(Background: I'm trying to create my own Office365 'file picker' on the client because I couldn't find an available library for OneDrive Business that supplies this.)

Answer 1

Office 365 Files API and SharePoint REST have just introduced support for CORS.

https://msdn.microsoft.com/en-us/office/office365/howto/create-web-apps-using-CORS-to-access-files-in-Office-365

What you were trying to do is exactly how it works. The service will respond to the OPTIONS pre-flight request with an Access-Control-Allow-Origin header.

The authorization in the request must be an Azure Active Directory issued OAuth2 implicit grant access token.