search

agrueneberg / Corser

CORS middleware for Node.js
MIT License
91 stars 11 forks source link

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response. #22

Closed playground closed 3 months ago

playground commented 6 years ago

What am I missing? I follow the example but still getting pre-flight error

  app.use(corser.create({
    endPreflightRequests: false
  }));
  app.post('/resource/my-test', (req, res, next) => {
    if(req.method === 'OPTIONS') {
      res.writeHead(204);
      res.end();
    }
    ...
  });
agrueneberg commented 6 years ago

Thanks for asking this question: I realized that I don't have any client-side examples.

The configuration above will only work if the client sends a "simple" request, i.e., GET, HEAD, POST as method, some headers such as Accept, Accept-Language, Content-Language, and Content-Type, etc. Content-Type has an important restriction: only application/x-www-form-urlencoded, multipart/form-data, and text/plain are allowed. If you are like most people, your Content-Type will be application/json, and this is not allowed by default. You will need to explicitly specify Content-Type in the configuration object under the requestHeaders key, ideally as follows:

app.use(corser.create({
    endPreflightRequests: false,
    corser.simpleRequestHeaders.concat(["Content-Type"])
})

Hope that helps. -ag

playground commented 6 years ago

@agrueneberg still getting the same error with your suggestion

  app.use(corser.create({
    endPreflightRequests: false,
    requestHeaders: corser.simpleRequestHeaders.concat(["Content-Type"])
  }));

Header Response
access-control-allow-credentials:false
access-control-allow-headers:*
access-control-allow-methods:GET,POST,OPTIONS
access-control-allow-origin:*
access-control-max-age:86400
cache-control:private, max-age=300
content-length:2
agrueneberg commented 6 years ago

What headers are sent in the request? I'm also surprised you're getting an access-control-allow-headers header with value * with the config above. Is it Chrome?

playground commented 6 years ago

Yes, it's Chrome Version 61.0.3163.91 (Official Build) (64-bit) The express is fronted by Akamai. Seems whatever I do on express it has no effect.
The question is if access-control-allow-headers:* why would it still complaining 

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response
agrueneberg commented 6 years ago

I see, in that case I would expect Akamai to handle CORS as well. There should be a way to configure those CORS-related headers? I'm wondering if the preflight requests (OPTIONS) are even coming through to Express. The response headers that they sent looks pretty permissive, but I need to see the request to tell what could be wrong.

playground commented 6 years ago

This is the request Request URL:https://stage.mydomain.com/web-pwa/query Request Method:OPTIONS Status Code:200 Remote Address:xxx.xxx.xxx.xxx:443 Referrer Policy:no-referrer-when-downgrade

request header :authority:stage.mydomain.com :method:OPTIONS :path:/web-pwa/query :scheme:https accept:/ accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.8 access-control-request-headers:content-type access-control-request-method:POST cache-control:no-cache origin:https://dev.weather.com pragma:no-cache referer:https://dev.mydomain.com/index.html user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36

agrueneberg commented 6 years ago

I would suggest to temporarily take Akamai out of the equation, find out which CORS headers you need, and then figure out how Akamai is handling CORS. Right now it appears that they're overwriting some headers in your response, but what they do to requests and responses is a question for the Akamai support rather than one for here.