Menu
I am sending POST request like this from browser:
fetch(serverEndpoint, { method: 'POST', mode: 'no-cors', // this is to prevent browser from sending 'OPTIONS' method request first redirect: 'follow', headers: new Headers({ 'Content-Type': 'text/plain', 'X-My-Custom-Header': 'value-v', 'Authorization': 'Bearer ' + token, }), body: companyName }) By the time the request reaches my back-end it does not contain X-My-Custom-Header nor Authorization header.
My back-end is Google Cloud function for Firebase (basically just Node.js endpoint) that looks like this:
exports.createCompany = functions.https.onRequest((req, res) => { let headers = ['Headers: '] for (let header in req.headers) { headers.push(`${header} : ${req.headers[header]}`) } console.log(headers) ... } The console log of that Google Cloud for Firebase function does not contain any X-My-Custom-Header nor Authorization header.
What is wrong?
So using dev tools in Chrome a checked that neither X-My-Custom-Header nor Authorization header is send from the browser... The questions now are: Why? How do I fix it?
More information about my app: It's React app. I have disabled service worker. I have tried to create Request and specifically add headers using req.headers.append(). The headers still wouldn't send.
357
The Headers interface of the Fetch API allows you to perform various actions on HTTP request and response headers. These actions include retrieving, setting, adding to, and removing headers from the list of the request's headers.
The fetch() method: Fetch API comes with a fetch () method that allows you to fetch data from all sorts of different places and work with the data fetched. It allows you to make an HTTP request, i.e., either a GET request (for getting data) or POST request (for posting data).
The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.
In the no-cors mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.
To send a cross-origin request with headers like Authorization and X-My-Custom-Header, you have to drop the no-cors mode and support preflight requests (OPTIONS).
The distinction between “simple” and “non-simple” requests is for historical reasons. Web pages could always perform some cross-origin requests through various means (such as creating and submitting a form), so when Web browsers introduced a principled means of sending cross-origin requests (cross-origin resource sharing, or CORS), it was decided that such “simple” requests could be exempt from the preflight OPTIONS check.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
