Menu
My application do some REST request in a java web application. the requests are CORS requests so the browser do every time an OPTION preflight before the real one. Each request are similar to
Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: iv-groups,iv-user,x-xsrf-token Origin: http://localhost:4200 Connection: keep-alive Cache-Control: max-age=0
The java application response is:
HTTP/1.1 200 Set-Cookie: JSESSIONID=70A5ED7E8D32DCEE55991D3945994AB0; Path=/blablab; HttpOnly Set-Cookie: XSRF-TOKEN=35ad4230-b664-400c-84c0-7d06877bf05d; Path=/ Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Methods: GET,POST,PUT,DELETE,HEAD,OPTIONS Access-Control-Allow-Headers: iv-groups, iv-user, x-xsrf-token Access-Control-Allow-Credentials: true Access-Control-Max-Age: 1800 Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Length: 0 Date: Thu, 22 Nov 2018 08:31:18 GMT
For firefox this response is an CORS violation on the console it writes Credential is not supported if the CORS header Access-Control-Allow-Origin is *.
For google chrome the request is ok and the content is showed.
344
For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the Access-Control-Allow-Credentials header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials.
Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.
The access-control-allow-origin plugin essentially turns off the browser's same-origin policy. For every request, it will add the Access-Control-Allow-Origin: * header to the response. It tricks the browser, and overrides the CORS header that the server has in place with the open wildcard value.
That happens if you are using withCredentials in your client side request. In that case you can modify the server side to check allowed referers and send the correct url in the Access-Control-Allow-Origin header. If you do not use credentials * is accepted.
Some more information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
