search

LibraryOfCongress / chronam

This software project is no longer being actively developed at the Library of Congress. Consider using the Open-ONI (https://github.com/open-oni) fork of the chronam software. Project mailing list: http://listserv.loc.gov/archives/chronam-users.html.
71 stars 34 forks source link

Search API: CORS requests are blocked from browser clients #227

Closed denver-HJS closed 2 years ago

denver-HJS commented 3 years ago

Sorry if this is the wrong place to bring this up, but I've run into some issues trying to integrate with your Search API when trying to access this resource: https://chroniclingamerica.loc.gov/search/titles/results?terms=Tulsa&format=json

I think there may be some interference by a redirect rule in your application that is blocking CORS requests made by my browser application (in this case an Angular client).

I notice in the browser console that when the browser is making its OPTIONS preflight request for CORS, it's returning as a 301 Redirect response. If you refer to the sequence diagram I've pulled from MDN per the protocol the browser is expecting a 204 No Content response with the Access-Control-Allow-Origin response header included.

cors_sequence

preflight_redirect

Additionally this is in the browser console output:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://chroniclingamerica.loc.gov/search/titles/results?terms=Tulsa&format=json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Feel free to let me know if I should ask this somewhere else, or if I can help provide any additional information!

Thanks

acdha commented 2 years ago

Sorry, I missed this before. This is caused by the missing slash on the end of the URL path — the actual URL is https://chroniclingamerica.loc.gov/search/titles/results/ so Django issues a redirect to the canonical location. If you use that URL it'll have Access-Control-Allow-Origin: * on both OPTIONS and GET responses.