Nxt Forum

Nxt Discussion => Nxt Technical Discussion => Nxt Core Development => API discussion => Topic started by: pocesar on September 12, 2014, 08:35:54 am

Title: CORS missing proper headers
Post by: pocesar on September 12, 2014, 08:35:54 am
It seems that the cors response is missing proper headers:


Allow   GET, HEAD, POST, TRACE, OPTIONS
Content-Length   0
Server   Jetty(9.1.5.v20140505)


It should return something like:


Access-Control-Allow-Origin: http :// 127.0.0.1
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Max-Age: 1728000


I'm trying to reach it through the browser, since it uses different ports, the CORS request is failing because the answer is malformed
Title: Re: CORS missing proper headers
Post by: Tosch110 on September 13, 2014, 01:50:08 am
are you sure in the nxt configuration file its set:

nxt.apiServerCORS=true

?
Title: Re: CORS missing proper headers
Post by: pocesar on September 13, 2014, 05:14:56 am
yes, and I'm using version 1.2.8 (set both nxt.apiServerCORS, even the old interface one)
Title: Re: CORS missing proper headers
Post by: mess on October 05, 2014, 07:20:22 pm
Hello pocesar!

Sorry for the (very) late reply, I just got time to investigate this issue. If you were able to get around this issue let me know. I will post my investigation results anyways.

I created a very small webapp to test CORS support and it seems to be working right in the majority of the cases. The only exception is when the ajax request includes a custom header, and this is because the configuration needs to explicitly list any custom headers that it allows for any CORS request, not a wildcard '*'.

For example: some time ago, some of the popular JS libraries (e.g. jquery) were adding a 'X-Requested-With: XMLHttpRequest' header by default in HTTP requests to indicate  that the request was originated using Ajax. In order to make CORS work correctly, the server side CORS configuration should explicitly specify that it allows the 'X-Requested-With' header.
But now these JS libraries dropped that header and the configuration is not necessary unless the header is being explicitly added by the developer.

The other case is when the Content-Type header is other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. In this case you need to explicitly specify in the server-side configuration that the Content-Type header is allowed. But the NXT UI specifies application/x-www-form-urlencoded since requests to the NXT API server do not include content in the request body, so the current configuration is fine.


Going back to your case, you said that:

I'm trying to reach it through the browser, since it uses different ports, the CORS request is failing because the answer is malformed

What are you trying to reach through the browser?

1) Is it the nxt UI?
2) Or are you trying to execute an API call through the browser so that it displays the response in the browser page?

AFAIK, in both cases, the HTTP request will not use CORS since in the first case the same server hosts the UI and the API server, and in the second case Ajax (javascript) is not used to fetch the contents. So in both cases CORS is not needed.

Did you verified that the 'nxt.allowedBotHosts' includes the ip address of the machine from which you are accessing the nxt instance?

- mess
elective-stereophonic
elective-stereophonic
assembly
assembly