Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS error with AngularJS post only in FireFox

I am having issues only with FireFox when making a cross origin request in an Ionic app (so it's using AngularJS). The js app is doing a $http.post() to a Laravel 5.1 API, and I get the following error only in FireFox (39.0.3):

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://blah.dev/endpoint. (Reason: missing token 'content-type' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel).

This is on my localhost (OSX Mavericks). and works fine in Chrome and Safari, only FireFox is given the error. I have cleared the cache, and tried in a "private window", with the same results.

Here is the Laravel route defined to handle the OPTIONS request:

Route::options('endpoint', function() {
    return response('OK')
        ->header('Access-Control-Allow-Headers ', 'Origin, Authorization, X-Requested-With, Content-Type, Accept')
        ->header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS')
        ->header('Access-Control-Allow-Origin', '*')
        ->header('Cache-Control', 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0')
        ;
});

Route::post('endpoint', array('uses' => '\Path\To\Controller@endpoint'));

I did find this question that seems to have a similar issue only in FireFox, but the solution was to comma separate the Allow-Methods, which I already am.

like image 732
shauno Avatar asked Oct 30 '22 21:10

shauno


1 Answers

The message " missing token 'content-type' " is about the client. For a http request to be a valid post one, it must have a header

'Content-Type': 'application/x-www-form-urlencoded' 

or

'Content-Type': 'multipart/form-data'

The first content-type is the most common one.

In angularjs one way to do a CORS post request is

$http.post(
        'http://external-domain.ext/the/rest/url',
        'param_name=param_value',
        {headers:{'Content-Type': 'application/x-www-form-urlencoded'}}
    ).
    then(function successCallback(response) {
       $scope.something = response;
    }, function errorCallback(response) {
       // not good
    });

If the server is configured with header('Access-Control-Allow-Origin', '*'), the CORS post must succeed without authentication and credentials.

like image 53
Greg Kelesidis Avatar answered Nov 15 '22 07:11

Greg Kelesidis