CORS cookie credentials from mobile WebView loaded locally with file://

by

I realize this question is old, but I figured I’d throw in on it anyhow. In the case of CORS requests, the browser preflights them. What this means is – in spite of whatever $.ajax() method you are using, an OPTIONS request is sent to the server.

What this preflighted OPTIONS request is actually doing is saying:

“Hey there, foreign-server-from-some-other-domain, I want to send you a not-simple request (simple req’s are not preflighted). My not-simple request going to have these kinds of headers and content type and so on. Can you let me know if this is okay?”

Then the server will do whatever it does (probably check some configuration or database) and respond with the allowable origin(s), the allowable header(s), and/or the allowable method(s).

Finally – if that preflight OPTIONS request has received response that allows the actual $.ajax() method to go – it goes.

CORS is not the same as JSONP.

All that said – while withCredentials preflight success requires the response to carry a Access-Control-Allow-Credentials header (as stated in the question), that is IN ADDITION to Access-Control-Allow-Origins AND Access-Control-Allow-Methods values, which must include the facets of the intended request.

For example – if you are making a CORS POST request from origin http://foo-domain.com with headers somevalue to http://bar-domain.com, a preflight OPTIONS request would go out and in order for the actual post request to be made to http://bar-domain.com, the OPTIONS request would need to receive a response with an Access-Control-Allow-Origins value that included http://foo-domain.com. This could be the origin name itself or *. The response would also need to have an Access-Control-Allow-Methods value that included POST. This may also be *. And Finally if we want our somevalue header to be allowed, the response must contain a Access-Control-Allow-Headers value that includes our somevalue header key or *.

To circle back – if you can’t control the server, or have no way to allow the server to allow your CORS requests, you could always use JSONP or some urlEncoded datatype and/or make simple requests without custom headers. GET, HEAD, and full POST requests are usually simple requests.

More Related Contents:

  1. Origin is not allowed by Access-Control-Allow-Origin
  2. Response to preflight request doesn’t pass access control check
  3. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  4. how to bypass Access-Control-Allow-Origin?
  5. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  6. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  7. No ‘Access-Control-Allow-Origin’ header is present on the requested resource error
  8. Cross-Origin Read Blocking (CORB)
  9. Origin is not allowed by Access-Control-Allow-Origin
  10. CORS error on same domain?
  11. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  12. Understanding AJAX CORS and security considerations
  13. Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?
  14. AngularJS POST Fails: Response for preflight has invalid HTTP status code 404
  15. Where to save a JWT in a browser-based application and how to use it
  16. Cross domain POST request is not sending cookie Ajax Jquery
  17. Is CORS a secure way to do cross-domain AJAX requests?
  18. Get and store cookie (from Set-Cookie) from an AJAX POST response
  19. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  20. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  21. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  22. How to allow CORS in react.js?
  23. Cross-origin resource sharing (CORS) concept
  24. CORS error for application running from file:// scheme
  25. Solve Cross Origin Resource Sharing with Flask
  26. How to Detect Cross Origin (CORS) Error vs. Other Types of Errors for XMLHttpRequest() in Javascript
  27. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  28. Client notification, should I use an AJAX Push or Poll?
  29. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  30. CORS error with jquery

Leave a Comment