Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make GET CORS request with authorization header

I was reading about CORS requests, and I have managed to make regular GET or POST request and it works fine. But when I add authorization header to a either GET or POST request, then the preflight OPTIONS request is sent to the server and I get 500 INTERNAL SERVER ERR, and the actual request isn't sent. My question is how does the preflight actually work, and what response does it require so that it will send the main request? And is it possible to send it without the preflight because I'm sure that then it would work? The serve-rside is written in Django 1.6 and has ACCESS-ALLOW-ORIGIN set to *, and it works with regular post and get requests.

This is my JS code:

 $.ajax({
  type: "GET",
  url: "http://url/login/",
  async:false,
  contentType: "application/json",
  headers: {
    "Authorization": "Basic " + btoa(loginName + ':' + password),       
  },
  success: function (data) {
    alert("OK!");
  },
  failure: function(errMsg) {
    alert(errMsg);
  }
});

These are the headers from Chrome DevTools when the request is executed: Request headers:

OPTIONS /login/ HTTP/1.1
Host: url
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)     Chrome/36.0.1985.125 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,hr;q=0.6,sr;q=0.4

Response headers:

HTTP/1.1 500 INTERNAL SERVER ERROR
Date: Thu, 31 Jul 2014 16:15:19 GMT
Server: Apache/2.2.15 (CentOS)
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
like image 877
Matija Avatar asked Jul 31 '14 16:07

Matija


People also ask

How do I add authorization header in GET request?

To send a GET request with a Bearer Token authorization header, you need to make an HTTP GET request and provide your Bearer Token with the Authorization: Bearer {token} HTTP header.

How do I request a post with authorization header?

To send a request with the Bearer Token authorization header, you need to make an HTTP request and provide your Bearer Token with the "Authorization: Bearer {token}" header. A Bearer Token is a cryptic string typically generated by the server in response to a login request.

What headers are required for CORS?

The default response headers always exposed for CORS requests are: Cache-Control. Content-Language. Content-Type.


1 Answers

To pass authorization headers you must set Access-Control-Allow-Credentials to true.

The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot contain *, therefore allowing any hosts making requests with credentials attached.

There are two options to solve this problem:

  • Set Access-Control-Allow-Origin to actual host making requests
  • If there are more than one host: "canonical" way would be to have a whitelist of hosts in application itself, than check Origin header if it's on the list and adding Origin as Access-Control-Allow-Origin header value.

With Django, check for Origin and adding a header can be made in Middleware, but that would make a decent question on it's own (and probably have been already asked)

like image 51
J0HN Avatar answered Sep 19 '22 20:09

J0HN