OK I had a similar issues recently and I solved everything only on the backend side with no .htaccess stuff. when the browser sends cross server requests it firsts sends an OPTIONS request to make sure it is valid and it can send the “real” request. After it gets a proper and valid response from … Read more
Thanks but getting 405 error,after the above config changes. Finally it works after adding below code in web api Global.asax file protected void Application_BeginRequest(Object sender, EventArgs e) { //HttpContext.Current.Response.AddHeader(“Access-Control-Allow-Origin”, “*”); if (HttpContext.Current.Request.HttpMethod == “OPTIONS”) { HttpContext.Current.Response.AddHeader(“Cache-Control”, “no-cache”); HttpContext.Current.Response.AddHeader(“Access-Control-Allow-Methods”, “GET, POST”); HttpContext.Current.Response.AddHeader(“Access-Control-Allow-Headers”, “Content-Type, Accept”); HttpContext.Current.Response.AddHeader(“Access-Control-Max-Age”, “1728000”); HttpContext.Current.Response.End(); } }
You could indeed define your own Filter as you mentioned in your answer. Spring already has such a CorsFilter already though, so you don’t have to create one yourself. Just register it as a bean and it should work: @Bean public CorsFilter corsFilter() { final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); final CorsConfiguration config = new … Read more
I sat down and debugged through the org.apache.catalina.filters.CorsFilter to figure out why the request was being forbidden. Hopefully this can help someone out in the future. According to the W3 CORS Spec Section 6.2 Preflight Requests, the preflight must reject the request if any header submitted does not match the allowed headers. The default configuration … Read more
I was able to do this by extending UsernamePasswordAuthenticationFilter… my code is in Groovy, hope that’s OK: public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter { static final String ORIGIN = ‘Origin’ @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){ if (request.getHeader(ORIGIN)) { String origin = request.getHeader(ORIGIN) response.addHeader(‘Access-Control-Allow-Origin’, origin) response.addHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE’) response.addHeader(‘Access-Control-Allow-Credentials’, ‘true’) response.addHeader(‘Access-Control-Allow-Headers’, request.getHeader(‘Access-Control-Request-Headers’)) } … Read more
If you are just interested in the use of Access-Control-Allow-Origin:* You can do that with this .htaccess file at the site root. Header set Access-Control-Allow-Origin “*” Some useful information here: http://enable-cors.org/server_apache.html
I’ve finally figured out an answer to this. There is at least one other situation where an Origin header may be “null”. When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to “null”. I suppose this is considered … Read more
CORS configuration on its own isn’t going to cause a server to deny requests. You can’t cause server-side blocking of requests just through CORS configuration. The only thing servers do differently when you configure CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it. Actual enforcement of cross-origin … Read more
The CORS contract requires that authentication not be required on the pre-flight OPTIONS request. It looks like your back-end is requiring authentication on the OPTIONS request and the GET. When you access your back-end with Postman, you are only sending a GET. The browser will send an OPTIONS request first (without your authentication header), and … Read more
The authentication flow must happen in a visible browsing context, not with a fetch request. In other words: You must navigate the current tab to (or open a new tab at) http://localhost:8000/api/mail/login, the tab will then be redirected to https://accounts.google.com/o/oauth2/v2/auth?… and this page becomes visible. Now the user must interact with that page to choose/confirm … Read more