It is not clear to me if CORS headers (Access-Control-Allow-Origin, etc) should be present only on the preflight request (OPTIONS method) or also in the resource's headers (which I'm trying to POST using XHR)
I'm asking this because I installed a python plugin which handles cors by only adding the CORS headers to the OPTIONS method (preflight), but not to the requested resource, this approach is NOT solving the cors issue on chrome and firefox, returning messages like
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [URL]. This can be fixed by moving the resource to the same domain or enabling CORS.
Edit:
I also found more info on http://www.html5rocks.com/en/tutorials/cors/ , which says:
Access-Control-Allow-Origin (required) - This header must be included in all valid CORS responses; omitting the header will cause the CORS request to fail. The value of the header can either echo the Origin request header (as in the example above), or be a '*' to allow requests from any origin. If you’d like any site to be able to access your data, using '*' is fine. But if you’d like finer control over who can access your data, use an actual value in the header.
The Access-Control-Allow-Origin header MUST appear on the response to BOTH the preflight OPTIONS and the GET request itself.
Cross-origin requests have an origin header that identifies the domain initiating the request and is always sent to the server.
A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers. It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method , Access-Control-Request-Headers , and the Origin header.
They must be present on both responses.
Step 3 of the preflight rules requires that the browser follows the normal make a request steps.
The Access-Control-Allow-Origin header MUST appear on the response to BOTH the preflight OPTIONS and the GET request itself. If Access-Control-Allow-Credentials appears in the preflight OPTIONS response, it must also appear in the response to the GET. Likewise with the Access-Control-Expose-Headers response header.
The Access-Control-Allow-Headers, Access-Control-Allow-Methods and Access-Control-Max-Age response headers are ONLY needed in the OPTIONS response, and are ignored if they are returned in the response to the main fetch.
See https://fetch.spec.whatwg.org/#http-responses, which is THE CORS spec, and supersedes the older W3C spec (at https://www.w3.org/TR/cors/).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With