Topic: CORS missing proper headers (Read 1603 times)

pocesar · « **on:** September 12, 2014, 08:35:54 am »

It seems that the cors response is missing proper headers:

Allow GET, HEAD, POST, TRACE, OPTIONS Content-Length 0 Server Jetty(9.1.5.v20140505)

It should return something like:

Access-Control-Allow-Origin: http :// 127.0.0.1 Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Max-Age: 1728000

I'm trying to reach it through the browser, since it uses different ports, the CORS request is failing because the answer is malformed

Tosch110 · « **Reply #1 on:** September 13, 2014, 01:50:08 am »

are you sure in the nxt configuration file its set:

nxt.apiServerCORS=true

?

pocesar · « **Reply #2 on:** September 13, 2014, 05:14:56 am »

yes, and I'm using version 1.2.8 (set both nxt.apiServerCORS, even the old interface one)

mess · « **Reply #3 on:** October 05, 2014, 07:20:22 pm »

Hello pocesar!

Sorry for the (very) late reply, I just got time to investigate this issue. If you were able to get around this issue let me know. I will post my investigation results anyways.

I created a very small webapp to test CORS support and it seems to be working right in the majority of the cases. The only exception is when the ajax request includes a custom header, and this is because the configuration needs to explicitly list any custom headers that it allows for any CORS request, not a wildcard '*'.

For example: some time ago, some of the popular JS libraries (e.g. jquery) were adding a 'X-Requested-With: XMLHttpRequest' header by default in HTTP requests to indicate that the request was originated using Ajax. In order to make CORS work correctly, the server side CORS configuration should explicitly specify that it allows the 'X-Requested-With' header.
But now these JS libraries dropped that header and the configuration is not necessary unless the header is being explicitly added by the developer.

The other case is when the Content-Type header is other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. In this case you need to explicitly specify in the server-side configuration that the Content-Type header is allowed. But the NXT UI specifies application/x-www-form-urlencoded since requests to the NXT API server do not include content in the request body, so the current configuration is fine.

Going back to your case, you said that:

Quote from: pocesar on September 12, 2014, 08:35:54 am

I'm trying to reach it through the browser, since it uses different ports, the CORS request is failing because the answer is malformed

What are you trying to reach through the browser?

1) Is it the nxt UI?
2) Or are you trying to execute an API call through the browser so that it displays the response in the browser page?

AFAIK, in both cases, the HTTP request will not use CORS since in the first case the same server hosts the UI and the API server, and in the second case Ajax (javascript) is not used to fetch the contents. So in both cases CORS is not needed.

Did you verified that the 'nxt.allowedBotHosts' includes the ip address of the machine from which you are accessing the nxt instance?

- mess

Switch to ArdorForum

News:

Author Topic: CORS missing proper headers (Read 1603 times)

pocesar

CORS missing proper headers

Tosch110

Re: CORS missing proper headers

pocesar

Re: CORS missing proper headers

mess

Re: CORS missing proper headers