search

danialfarid / ng-file-upload

Lightweight Angular directive to upload files with optional FileAPI shim for cross browser support
MIT License
7.87k stars 1.59k forks source link

CORS support #2034

Closed BusbyActual closed 6 years ago

BusbyActual commented 6 years ago

Hey there,

This code is sending an options request and it shouldn't according to the CORS specification. The noAuth header is to override an auth intercepter service to remove auth header before sending the request. According to CORS docs, a simple request can contain 'Content-Type', and 'Accept' headers. My request satisfies all elements of a simple request to not do a preflight options request however through angularJS an options request is sent.

If I right click on the request and click 'replay xhr' it sends just fine. Is there somewhere in the lib where the request is being decorated to not be a simple request? Souce

image

Upload.upload({ url: ENV_VARS.serviceBase + '/imageUpload', data: {'file': $scope.file}, headers: {'noAuth': true, "Content-Type": "multipart/form-data", "Accept": "application/json, text/plain, /"},
}).progress(function(e) { }).then(function(data, status, headers, config) { // file is uploaded successfully console.log(data); });

1f47a commented 6 years ago

Please read the CORS docs you have linked again.

the only headers which are allowed to be manually set are those which the Fetch spec defines as being a “CORS-safelisted request-header”, which are:

Accept
Accept-Language
Content-Language
Content-Type (but note the additional requirements below)
Last-Event-ID
DPR
Save-Data
Viewport-Width
Width

Your request does not satisfy all the elements of a simple request as it has a request header of noAuth, which is not a CORS-safelisted request-header.

BusbyActual commented 6 years ago

Apologies, I think I came to the same conclusion and forgot to close this.