I was reading about CORS requests, and I have managed to make regular GET or POST request and it works fine. But when I add authorization header to a either GET or POST request, then the preflight OPTIONS request is sent to the server and I get 500 INTERNAL SERVER ERR, and the actual request isn't sent. My question is how does the preflight actually work, and what response does it require so that it will send the main request? And is it possible to send it without the preflight because I'm sure that then it would work? The serve-rside is written in Django 1.6 and has ACCESS-ALLOW-ORIGIN set to *, and it works with regular post and get requests.
This is my JS code:
$.ajax({
type: "GET",
url: "http://url/login/",
async:false,
contentType: "application/json",
headers: {
"Authorization": "Basic " + btoa(loginName + ':' + password),
},
success: function (data) {
alert("OK!");
},
failure: function(errMsg) {
alert(errMsg);
}
});
These are the headers from Chrome DevTools when the request is executed: Request headers:
OPTIONS /login/ HTTP/1.1
Host: url
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,hr;q=0.6,sr;q=0.4
Response headers:
HTTP/1.1 500 INTERNAL SERVER ERROR
Date: Thu, 31 Jul 2014 16:15:19 GMT
Server: Apache/2.2.15 (CentOS)
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
To send a GET request with a Bearer Token authorization header, you need to make an HTTP GET request and provide your Bearer Token with the Authorization: Bearer {token} HTTP header.
To send a request with the Bearer Token authorization header, you need to make an HTTP request and provide your Bearer Token with the "Authorization: Bearer {token}" header. A Bearer Token is a cryptic string typically generated by the server in response to a login request.
The default response headers always exposed for CORS requests are: Cache-Control. Content-Language. Content-Type.
To pass authorization headers you must set Access-Control-Allow-Credentials
to true.
The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials
is set to true, Access-Control-Allow-Origin
cannot contain *
, therefore allowing any hosts making requests with credentials attached.
There are two options to solve this problem:
Access-Control-Allow-Origin
to actual host making requestsOrigin
header if it's on the list and adding Origin
as Access-Control-Allow-Origin
header value.With Django, check for Origin
and adding a header can be made in Middleware, but that would make a decent question on it's own (and probably have been already asked)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With