search

lwcolton / falcon-cors

CORS support for Falcon: http://falconframework.org
Apache License 2.0
74 stars 15 forks source link

Request header not allowed #1

Closed DriesS closed 8 years ago

DriesS commented 8 years ago

Hi,

I'm using the falcon-cors middleware but I still get :

Fetch API cannot load http://10.0.0.113/api/users/. Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

I configured the api that all headers are allowed : 

import falcon
from falcon_cors import CORS

cors = CORS(allow_all_origins=True, allow_all_headers=True)
....
api = falcon.API(before=[auth], middleware=[cors.middleware])
....

and here my post method : 

...
 def on_post(self, req, resp):
        attributes = json.loads(req.stream.read())
        user = User({})
        user.set_json_attributes(attributes)
        db_session.add(user)
        try:
            db_session.commit()
        except:
            db_session.rollback()
            raise
        resp.status = falcon.HTTP_200
        resp.body = json.dumps({'user': user.json_attributes()})
...

What do I do wrong? Here you can find a curl from my api call :

curl 'http://10.0.0.113/api/users/' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://localhost:3000' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8,es;q=0.6,fr;q=0.4,nl;q=0.2' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_103) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36' -H 'Accept: /_' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:3000/users/add' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, content-type' --compressed

lwcolton commented 8 years ago

Could you please add the -v argument to your curl command and post the response?

ikresoft commented 8 years ago

I am using extjs 6 gpl and I get same problem Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response. Access-Control-Request-He... content-type,x-requested-with

jcampanello commented 8 years ago

@DriesS i think the problem is due to two things:

  1. you should configure falcon-cors to allow credentials. Given your configuration, i think you should also set allow_credentials_all_origins = True
  2. in your javascript code, when you make the AJAX request, you must set the property withCredentials = true

Your AJAX call should be something like this:

var xmlhttp = new XMLHttpRequest();
xmlhttp.open(method, url, true);
xmlhttp.withCredentials = true;
xmlhttp.setRequestHeader('Content-type', 'application/json');
xmlhttp.send(' { "param" : "blah blah blah" } ');

At least, i can say that i was having the same issue and those two things fixed the problem.