We have a Node.js based application on one of our servers (lets call it 'my.apiserver.com'). Our client has web site in a different domain (my.client.com). When a user goes to our client's website there are a series of html pages received from, and ajax-based requests sent to, our server. This seems to work fine across all devices and browsers with the exception of the latest Safari version (8). For the majority (but oddly not all) of the Safari-8 users they receive error messages along these lines:
XMLHttpRequest cannot load http://my.apiserver.com/views/view1.html. Origin http://my.client.com is not allowed by Access-Control-Allow-Origin
and
XMLHttpRequest cannot load http://my.apiserver.com/ajax_endpoint1?id=12345. Origin http://my.client.com is not allowed by Access-Control-Allow-Origin
Inside of our app.js file the node application has it's cross-domain security setup like so:
/***************************************************************************/
/* configure CORS
/***************************************************************************/
app.use(function(req, res, next) {
res.set('Access-Control-Allow-Origin', 'http://my.client.com');
res.set('Access-Control-Allow-Credentials', true);
res.set('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.set('Access-Control-Allow-Headers', 'Origin, Product-Session, X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept, Referer, User-Agent');
// intercept OPTIONS method
if ('OPTIONS' == req.method) {
res.send(200);
}
else {
next();
}
});
Any insights as to why our cors setup is failing for the latest Safari would be appreciated.
Thanks
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
This error occurs when a script on your website/web app attempts to make a request to a resource that isn't configured to accept requests coming from code that doesn't come from the same (sub)domain, thus violating the Same-Origin policy.
In the end this wasn't a cors issue, it was a cookies issue. Specifically it was a 3rd party cookies issue because later versions of Safari don't allow 3rd party cookies by default. Since we are the third party no cookie data was stored or passed to passed back to our server and the problem for some reason manifested itself as a cors error. Once 3rd party cookies were enabled the api calls worked as expected. Of course now we need to solve for the cookies issue.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With