CORS – How Access-Control-Allow-Headers Work

corsjavascriptjquery

I'm trying to make CORS request POST from domain.example to a.domain.example.

My JavaScript looks like this

$('#fileupload').fileupload({
  xhrFields: {
    withCredentials: true
  },
  dataType: 'json',
  url: $('#fileupload').data('path'),
  singleFileUploads: true,
  add: function(e, data){
    data.submit();
  }
});

At first I see the OPTIONS route being called like so:

Request URL: https://a.domain.example/some/route
Request Method:OPTIONS
Status Code:200 OK

OPTIONS REQUEST:

Access-Control-Request-Headers:origin, content-type, accept
Access-Control-Request-Method:POST
Host:a.domain.example
Origin:http://domain.example:3000
Referer:http://domain.example:3000/home

OPTIONS RESPONSE

Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:POST
Access-Control-Allow-Origin:http://domain.example:3000
Connection:keep-alive
Content-Length:0
Content-Type:text/html;charset=utf-8

That request comes back with a 200 like stated. On my server, I have the same route with POST method and this is what I get in return after the OPTIONS

Request URL:https://a.domain.example/some/route

POST REQUEST

Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryjwr5Pk7WBcfzMdbO
Origin:http://domain.example:3000
Referer:http://domain.example:3000/home

and the POST request gets canceled/fails.

My question is, do I need to have the access-control-allow-origin on the POST controller as well?

I have a cookie for authorization that has domain .domain.example that cookie got sent across once in a request and it's not being sent now. Any idea why that would happen?

Best Answer

Yes, you need to have the header Access-Control-Allow-Origin: http://domain.example:3000 or Access-Control-Allow-Origin: * on both the OPTIONS response and the POST response. You should include the header Access-Control-Allow-Credentials: true on the POST response as well.

Your OPTIONS response should also include the header Access-Control-Allow-Headers: origin, content-type, accept to match the requested header.

Non-simple requests

What happens on the network level can be slightly more complex than explained above. If the request is a "non-simple" request, the browser first sends a data-less "preflight" OPTIONS request, to verify that the server will accept the request. A request is non-simple when either (or both) using:

An HTTP verb other than GET or POST (e.g. PUT, DELETE);
Non-simple request headers; the only simple requests headers are:
- Accept;
- Accept-Language;
- Content-Language;
- Content-Type (this is only simple when its value is application/x-www-form-urlencoded, multipart/form-data, or text/plain).

If the server responds to the OPTIONS preflight with appropriate response headers (Access-Control-Allow-Headers for non-simple headers, Access-Control-Allow-Methods for non-simple verbs) that match the non-simple verb and/or non-simple headers, then the browser sends the actual request.

Supposing that Site A wants to send a PUT request for /somePage, with a non-simple Content-Type value of application/json, the browser would first send a preflight request:

OPTIONS /somePage HTTP/1.1
Origin: http://siteA.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Content-Type

Note that Access-Control-Request-Method and Access-Control-Request-Headers are added by the browser automatically; you do not need to add them. This OPTIONS preflight gets the successful response headers:

Access-Control-Allow-Origin: http://siteA.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type

When sending the actual request (after preflight is done), the behavior is identical to how a simple request is handled. In other words, a non-simple request whose preflight is successful is treated the same as a simple request (i.e., the server must still send Access-Control-Allow-Origin again for the actual response).

The browsers sends the actual request:

PUT /somePage HTTP/1.1
Origin: http://siteA.com
Content-Type: application/json

{ "myRequestContent": "JSON is so great" }

And the server sends back an Access-Control-Allow-Origin, just as it would for a simple request:

Access-Control-Allow-Origin: http://siteA.com

See Understanding XMLHttpRequest over CORS for a little more information about non-simple requests.

JavaScript CORS – Understanding Origin Header

The Origin header

When this header is added ?

During the header's stage, before the document's body is sent (after open, before send).

Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)

It is added when the origin doesn't match the page from which the XMLHttpRequest is created, but may also be sent in a same-origin request.

Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...

Yes.

However, the browser will always send the required Origin headers when necessary.

This is part of the XMLHttpRequest spec; if you're making a cross-domain request, in the request headers an extra header is sent. This header is e.g. Origin: http://www.stackoverflow.com and is appended by a standards-following browser without user interaction.

You can read more on the specification in MozillaWiki's Security section, WHATWG and html5.org. It is implemented by (that I know of) FireFox and Google Chrome. I don't believe it is part of W3C yet. Further do not assume the origin header is true, as it can be set manually by modified borwsers or other software.

Best Answer

Related Solutions

JavaScript CORS – How Does the ‘Access-Control-Allow-Origin’ Header Work?

Non-simple requests

JavaScript CORS – Understanding Origin Header

The Origin header

Related Question