Menu
How can you debug CORS requests using cURL? So far I couldn't find any way to "simulate" the preflight request .
809
Here's how you can debug CORS requests using curl. The -H "Origin: http://example.com" flag is the third party domain making the request. Substitute in whatever your domain is. The --verbose flag prints out the entire response so you can see the request and response headers.
How can I fix my CORS error? To know exactly why your request is failing, you need to inspect the traffic itself, find where you're breaking the rules above, and then either: Change the request to make it a simple request. Change the server's response to follow the rules above.
To make a CORS request using Curl, you need to pass an Origin HTTP header that specifies the origin of the request (domain, scheme, or port) other than the destination server address, and optionally the required HTTP methods and response headers.
And so finally, to determine whether the server sending the response has CORS enabled in the response, you need to look for the Access-Control-Allow-Origin response header there.
Here's how you can debug CORS requests using curl.
Sending a regular CORS request using cUrl:
curl -H "Origin: http://example.com" --verbose \ https://www.googleapis.com/discovery/v1/apis?fields= The -H "Origin: http://example.com" flag is the third party domain making the request. Substitute in whatever your domain is.
The --verbose flag prints out the entire response so you can see the request and response headers.
The url I'm using above is a sample request to a Google API that supports CORS, but you can substitute in whatever url you are testing.
The response should include the Access-Control-Allow-Origin header.
Sending a preflight request using cUrl:
curl -H "Origin: http://example.com" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: X-Requested-With" \ -X OPTIONS --verbose \ https://www.googleapis.com/discovery/v1/apis?fields= This looks similar to the regular CORS request with a few additions:
The -H flags send additional preflight request headers to the server
The -X OPTIONS flag indicates that this is an HTTP OPTIONS request.
If the preflight request is successful, the response should include the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers response headers. If the preflight request was not successful, these headers shouldn't appear, or the HTTP response won't be 200.
You can also specify additional headers, such as User-Agent, by using the -H flag.
157
curl -H "Access-Control-Request-Method: GET" -H "Origin: http://localhost" --head http://www.example.com/ Access-Control-Allow-* then your resource supports CORS.Rationale for alternative answer
I google this question every now and then and the accepted answer is never what I need. First it prints response body which is a lot of text. Adding --head outputs only headers. Second when testing S3 URLs we need to provide additional header -H "Access-Control-Request-Method: GET".
Hope this will save time.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
