Menu
If I fake an OPTIONS preflight CORS request from Postman, I don't get the CORS headers back from my API.
717
It seems the endpoint which you are trying to use has CORS policy enabled. You need to pass headers like the one mentioned “Access-Control-Allow-Origin” in your error message. Generally postman includes these headers by default.
Postman simply doesn't care about CORS headers. So CORS is just a browser concept and not a strong security mechanism. It allows you to restrict which other web apps may use your backend resources but that's all.
In essence how to you make POSTMAN behave like a browser because we need to test to make sure our APIs are configure correctly. So what if the API works from POSTMAN and it breaks due to CORS from the browser. It means the API is useless.
A preflight request is just an HTTP request, so it can be sent using Postman. To send the request manually you'll need to select OPTIONS for the request method and then set suitable values for the headers Origin , Access-Control-Request-Method and Access-Control-Request-Headers .
After completely reverse engineering the Microsoft.Owin.Cors library I discovered that the headers weren't on the request!
Which led me to this beauty from the Postman docs:
Restricted headers and cookies
Unfortunately some headers are restricted by Chrome and the XMLHttpRequest specification. The following headers are blocked:
Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie 2 Content-Transfer-Encoding Date Expect Host Keep-Alive Origin Referer TE Trailer Transfer-Encoding Upgrade User-Agent Via
https://www.getpostman.com/docs/requests
Aaaaargh. That's a day of my life I won't get back.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
