Menu
I was reading about CORS requests, and I have managed to make regular GET or POST request and it works fine. But when I add authorization header to a either GET or POST request, then the preflight OPTIONS request is sent to the server and I get 500 INTERNAL SERVER ERR, and the actual request isn't sent. My question is how does the preflight actually work, and what response does it require so that it will send the main request? And is it possible to send it without the preflight because I'm sure that then it would work? The serve-rside is written in Django 1.6 and has ACCESS-ALLOW-ORIGIN set to *, and it works with regular post and get requests.
This is my JS code:
$.ajax({
type: "GET",
url: "http://url/login/",
async:false,
contentType: "application/json",
headers: {
"Authorization": "Basic " + btoa(loginName + ':' + password),
},
success: function (data) {
alert("OK!");
},
failure: function(errMsg) {
alert(errMsg);
}
});
These are the headers from Chrome DevTools when the request is executed: Request headers:
OPTIONS /login/ HTTP/1.1
Host: url
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,hr;q=0.6,sr;q=0.4
Response headers:
HTTP/1.1 500 INTERNAL SERVER ERROR
Date: Thu, 31 Jul 2014 16:15:19 GMT
Server: Apache/2.2.15 (CentOS)
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
877
To send a GET request with a Bearer Token authorization header, you need to make an HTTP GET request and provide your Bearer Token with the Authorization: Bearer {token} HTTP header.
To send a request with the Bearer Token authorization header, you need to make an HTTP request and provide your Bearer Token with the "Authorization: Bearer {token}" header. A Bearer Token is a cryptic string typically generated by the server in response to a login request.
The default response headers always exposed for CORS requests are: Cache-Control. Content-Language. Content-Type.
To pass authorization headers you must set Access-Control-Allow-Credentials to true.
The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot contain *, therefore allowing any hosts making requests with credentials attached.
There are two options to solve this problem:
Access-Control-Allow-Origin to actual host making requestsOrigin header if it's on the list and adding Origin as Access-Control-Allow-Origin header value.With Django, check for Origin and adding a header can be made in Middleware, but that would make a decent question on it's own (and probably have been already asked)
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
