Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Safari issue with CORS: Origin is not allowed by Access-Control-Allow-Origin

We have a Node.js based application on one of our servers (lets call it 'my.apiserver.com'). Our client has web site in a different domain (my.client.com). When a user goes to our client's website there are a series of html pages received from, and ajax-based requests sent to, our server. This seems to work fine across all devices and browsers with the exception of the latest Safari version (8). For the majority (but oddly not all) of the Safari-8 users they receive error messages along these lines:

XMLHttpRequest cannot load http://my.apiserver.com/views/view1.html. Origin http://my.client.com is not allowed by Access-Control-Allow-Origin

and

XMLHttpRequest cannot load http://my.apiserver.com/ajax_endpoint1?id=12345. Origin http://my.client.com is not allowed by Access-Control-Allow-Origin

Inside of our app.js file the node application has it's cross-domain security setup like so:

/***************************************************************************/
/* configure CORS
/***************************************************************************/
app.use(function(req, res, next) {
  res.set('Access-Control-Allow-Origin', 'http://my.client.com');
  res.set('Access-Control-Allow-Credentials', true);
  res.set('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.set('Access-Control-Allow-Headers', 'Origin, Product-Session, X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept, Referer, User-Agent');

  // intercept OPTIONS method
  if ('OPTIONS' == req.method) {
    res.send(200);
  }
  else {
    next();
  }
});

Any insights as to why our cors setup is failing for the latest Safari would be appreciated.

Thanks

like image 480
Gatmando Avatar asked Mar 21 '15 19:03

Gatmando


People also ask

How do I fix CORS header Access-Control allow Origin missing?

If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.

Why origin is not allowed by Access-Control allow origin?

This error occurs when a script on your website/web app attempts to make a request to a resource that isn't configured to accept requests coming from code that doesn't come from the same (sub)domain, thus violating the Same-Origin policy.


1 Answers

In the end this wasn't a cors issue, it was a cookies issue. Specifically it was a 3rd party cookies issue because later versions of Safari don't allow 3rd party cookies by default. Since we are the third party no cookie data was stored or passed to passed back to our server and the problem for some reason manifested itself as a cors error. Once 3rd party cookies were enabled the api calls worked as expected. Of course now we need to solve for the cookies issue.

like image 83
Gatmando Avatar answered Nov 16 '22 02:11

Gatmando