Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CORS HEADERS present only on preflight or every request

Tags:

html

cors

It is not clear to me if CORS headers (Access-Control-Allow-Origin, etc) should be present only on the preflight request (OPTIONS method) or also in the resource's headers (which I'm trying to POST using XHR)

I'm asking this because I installed a python plugin which handles cors by only adding the CORS headers to the OPTIONS method (preflight), but not to the requested resource, this approach is NOT solving the cors issue on chrome and firefox, returning messages like

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [URL]. This can be fixed by moving the resource to the same domain or enabling CORS.

Edit:

I also found more info on http://www.html5rocks.com/en/tutorials/cors/ , which says:

Access-Control-Allow-Origin (required) - This header must be included in all valid CORS responses; omitting the header will cause the CORS request to fail. The value of the header can either echo the Origin request header (as in the example above), or be a '*' to allow requests from any origin. If you’d like any site to be able to access your data, using '*' is fine. But if you’d like finer control over who can access your data, use an actual value in the header.

like image 648
enapupe Avatar asked Jun 17 '14 13:06

enapupe

People also ask

Which headers can only appear on preflight responses?

The Access-Control-Allow-Origin header MUST appear on the response to BOTH the preflight OPTIONS and the GET request itself.

Is Origin header always sent?

Cross-origin requests have an origin header that identifies the domain initiating the request and is always sent to the server.

Is CORS a preflight?

A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers. It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method , Access-Control-Request-Headers , and the Origin header.

2 Answers

They must be present on both responses.

Step 3 of the preflight rules requires that the browser follows the normal make a request steps.

like image 80
Quentin Avatar answered Oct 19 '22 09:10

Quentin

The Access-Control-Allow-Origin header MUST appear on the response to BOTH the preflight OPTIONS and the GET request itself. If Access-Control-Allow-Credentials appears in the preflight OPTIONS response, it must also appear in the response to the GET. Likewise with the Access-Control-Expose-Headers response header.

The Access-Control-Allow-Headers, Access-Control-Allow-Methods and Access-Control-Max-Age response headers are ONLY needed in the OPTIONS response, and are ignored if they are returned in the response to the main fetch.

See https://fetch.spec.whatwg.org/#http-responses, which is THE CORS spec, and supersedes the older W3C spec (at https://www.w3.org/TR/cors/).

like image 24
roryhewitt Avatar answered Oct 19 '22 09:10

roryhewitt
Sign in to Comment

Related questions

HTML and CSS Fluid Circle
What is the difference between a primed cache and empty cache?
What are HTTP 'method' capitalization best practices?
How to avoid page breaking when printing long lists
Is it possible to display only a certain div within an iframe?
What's the difference between BlobBuilder and the new Blob constructor?
How do I convert HTML code to Confluence-style Wiki Markup?
Creating flash like animations with Canvas and HTML5
How can I use something like HTML5 localStorage, but shared between browsers?
How can I use meta viewport and CSS media queries to make the average 960px website look good on the iPhone and iPad?
Real Time Streaming to HTML5 (with out webrtc) just using video tag
Mirroring a path in SVG
Are Meta Keywords Case Sensitive? [closed]
How is 'reader mode' in Firefox triggered?
Correct XPath query to fetch div inner text
Twitter Bootstrap navbar float right moves div to new line
Adding a line break in the title attribute [duplicate]
Canvas setLineDash and lineDashOffset NOT resetting in iOS/Safari?
Dynamically resize iframe
If Google's homepage is so minimal, why is the source hundreds of lines of code? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!