Menu
I have a web-app with an AngularJS front-end and a Web Api 2 back-end, and it uses bearer-tokens for authentication.
All is well in FireFox & IE, but with Chrome, my initial login request is SOMETIMES pre-flighted.
Here's the call from the AngularJS service:
$http.post(http://localhost:55483/token, data, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).success(function (response) { ... });
The preflight request gets kicked back with an "Allow-Access-Control-Origin" error.
However, if I click the Login button again (thereby re-sending the above request) all is well.
Any idea on how to prevent/trap/handle this?
PS: I use the LOC
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
in the ApplicationOAuthProvider.cs file to put the CORS allow-header on the /Token request, which works fine in IE, FireFox and sometimes in Chrome.
246
A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers. It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method , Access-Control-Request-Headers , and the Origin header.
A CORS preflight OPTIONS request can be triggered just by adding a Content-Type header to a request — if the value's anything except application/x-www-form-urlencoded , text/plain , or multipart/form-data .
For simple cross-origin POST method requests, the response from your resource needs to include the header Access-Control-Allow-Origin , where the value of the header key is set to '*' (any origin) or is set to the origins allowed to access that resource. All other cross-origin HTTP requests are non-simple requests.
Another way to avoid Preflight requests is to use simple requests. Preflight requests are not mandatory for simple requests, and according to w3c CORS specification, we can label HTTP requests as simple requests if they meet the following conditions. Request method should be GET , POST , or HEAD .
The below is Fancy comment:
Figured this out with help from post by LeftyX on Jun 29:
- Move this LOCapp.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);to the FIRST LINE in the ConfigureAuth method of Startup.Auth.cs.
- Then, REMOVE this LOCcontext.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });from the GrantResourceOwnerCredentials() method of ApplicationOAuthProvide.cs.
Preflight CORS-request them gets handled properly, and then the actual requet goes through
Thank man, you save my whole day.
Cause it happens for many guys, I bring your comment to answer box for other guys can see it.
I don't want to get vote up for this. Please comment on my answer instead
Thank you
160
I hope this is able to help somebody out there. For me:
app.useCors(); LOC did not work.app.useCors(); LOC worked for other people on my team.So I needed a solution that would work across everyone's environments.
Ultimately what I ended up doing was adding the header and value right into the Web.config with the following (where localhost:9000 is my node application that is serving up angular):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:9000" />
<add name="Access-Control-Allow-Headers" value="Content-Type"/>
</customHeaders>
</httpProtocol>
</system.webServer>
Then in production you can just change the origin value to the production front-end url.
If you want CORS enabled for all origins, change the value to "*".
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
