NodeJS/Express PUT request failing with: No 'Access-Control-Allow-Origin' header is present on the requested resource

[eat-sleep-code]

The documentation is unclear.

Below is my corser implementation. I understand that some of this might be redundant or unnecessary. I am just trying to find the magic setting to make the PUT request complete successfully:

app.use(corser.create({ corser.simpleRequestHeaders: corser.simpleRequestHeaders.concat(["GET", "POST", "PUT", "DELETE", "OPTIONS"]), corser.simpleResponseHeaders: corser.simpleResponseHeaders.concat(["GET", "POST", "PUT", "DELETE", "OPTIONS"]), corser.simpleResponseHeaders: corser.simpleResponseHeaders.concat(["Access-Control-Allow-Origin"]), requestHeaders: corser.simpleRequestHeaders.concat(["X-Requested-With"]) })); app.all('', function(request, response, next) { response.header('Access-Control-Allow-Headers', 'Content-Type,X-Requested-With,Authorization,Access-Control-Allow-Origin'); response.header('Access-Control-Allow-Methods', 'POST,GET,PUT,DELETE,OPTIONS'); response.header('Access-Control-Allow-Origin', ''); next(); });

[agrueneberg]

Hi @eat-sleep-code,

please try this:

app.use(corser.create({
    methods: corser.simpleMethods.concat(["PUT"]),
    requestHeaders: corser.simpleRequestHeaders.concat(["X-Requested-With"])
}));

This will allow cross-origin GET, POST, HEAD, and PUT requests with Accept, Accept-Language, Content-Language, Content-Type, Last-Event-ID and X-Requested-With headers. Your request might have some more headers that prohibit CORS, though. A good way to share more information with me is to open the Network section of the Chrome Developer Tools, find the request, right click to Copy as cURL, and paste it here.

[eat-sleep-code]

This appears to have been the magic bullet. Thanks

[agrueneberg]

No problem, glad it worked.

[eat-sleep-code]

I thought it worked. But apparently not. In IE11 it works great ONLY if the developer tools are open??? If I close the developer tools it no longer works??? In Chrome and Firefox it does not work either way?

Chrome reports that the response was "(canceled)"

Here is the CURL: curl "http://services.sitecorearizona.org/jobs/_id/5503bb957e4eacd821b5c046" -X OPTIONS -H "Access-Control-Request-Method: PUT" -H "Origin: http://sitecorearizona.org" -H "Referer: http://sitecorearizona.org/job-opportunities" -H "User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36" -H "Access-Control-Request-Headers: accept, content-type" --compressed

Firebug shows the following error: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://services.sitecorearizona.org/jobs/_id/5503bb957e4eacd821b5c046. This can be fixed by moving the resource to the same domain or enabling CORS.

[agrueneberg]

CORS seems to work fine on the domain you mentioned (I'm getting 400 responses because I don't know your API, though). Your request also doesn't seem to add any special headers as far as I can tell from the Access-Control-Request-Headers. Does your PUT request work if you try it from the command line using curl or any other client that is not subject to the same origin policy? It could be that the server returns a 500 response.

Also, did you remove the CORS headers in app.all? If I curl your domain with GET I'm still getting Access-Control-Allow-Headers and Access-Control-Allow-Methods headers that shouldn't be there.

[eat-sleep-code]

Sorry. The second issue was caused by some later code I had added.