Authentification header added only if request url is same as application host

[jakubkorczyk]

I have following probblem. The application is set similar to this from egzample, sadly it adds authorization header only if request url in same domain as appliction:

[giuliogatto]

Same problem here, BUT I found out the problem was on the server side. In CORS there is an OPTIONS request (preflight) that is sent BEFORE the actual request. In options requests Authorization informations are not allowed (like a JWT token for example). The correct headers must be included in the server RESPONSE to make the authorization mechanism work correctly. In my case, PHP with Apache: $headers->add('Access-Control-Allow-Methods', 'GET'); $headers->add('Access-Control-Allow-Origin', '*'); $headers->add('Access-Control-Allow-Headers', 'Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With');

Adding those headers on the server Response made Aurelia Auth work in CORS.

[ShawnTalbert]

This sounds like expected behavior due to same-origin policy?

[jakubkorczyk]

Thanks giuliogatto. That worked for me. CORS was allowed, but 'Access-Control-Allow-Headers' was not set properly.