19

My backbone.js application throwing an HTTP OPTIONS not found error when I try to save a model to my restful web service that's located on another host/URL.

Based on my research, I gathered from this post that :

a request would constantly send an OPTIONS http request header, and not trigger the POST request at all.

Apparently CORS with requests that will "cause side-effects on user data" will make your browser "preflight" the request with the OPTIONS request header to check for approval, before actually sending your intended HTTP request method.

I tried to get around this by:

  • Settting emulateHTTP in Backbone to true.

Backbone.emulateHTTP = true;

  • I also allowed allowed all CORS and CSRF options in the header.

    header('Access-Control-Allow-Origin: *');
    header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept"); header("Access-Control-Allow-Methods: GET, POST, OPTIONS");

The application crashed when the Backbone.emulateHTTP line of code was introduced.

Is there a way to respond to OPTIONS request in CodeIgniter RESTServer and are there any other alternatives to allow either disable this request from talking place?

I found this on Github as one solution. I am not sure if I should use it as it seems a bit outdated.

Community
  • 1
  • 1
Joel Dean
  • 2,444
  • 5
  • 32
  • 50

3 Answers3

51

I encountered exactly the same problem. To solve it I have a MY_REST_Controller.php in core and all my REST API controllers use it as a base class. I simply added a constructor like this to handle OPTIONS requests.

function __construct() {

    header('Access-Control-Allow-Origin: *');
    header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method");
    header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
    $method = $_SERVER['REQUEST_METHOD'];
    if($method == "OPTIONS") {
        die();
    }
    parent::__construct();
}

This just checks if the request type is OPTIONS and if so just dies out which return a code 200 for the request.

jamespcole
  • 526
  • 6
  • 3
  • 2
    After searching for hours; this was the solution. Thanks :) – Farhan Ahmad Nov 16 '14 at 23:40
  • On top of it we can add "Access-Control-Allow-Origin" like this, header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']); So that here you can check allow which domain access to your api's. – Prasad Shinde Aug 16 '16 at 13:07
  • probably better to send a 204 response: so code would be: parent::__construct(); if($_SERVER['REQUEST_METHOD'] === "OPTIONS") { $this->response(NULL,HTTP_NO_CONTENT); return; } – pgee70 Apr 28 '17 at 02:16
  • May I know why do you need to deny all 'OPTIONS' request method? – solomonculaste Feb 13 '18 at 02:46
  • It works in local else we need to live and upload to server. Am using codeigniter and react js in front end. Where we have to put this.? – Prashanth Harish May 17 '18 at 13:26
7

You can also modify the $allowed_http_methods property in your subclass to exclude the options method. Previous versions of REST_controller did nothing with OPTIONS and adding this line seems to mimic that behavior:

protected $allowed_http_methods = array('get', 'delete', 'post', 'put');
Shiva Saurabh
  • 1,281
  • 2
  • 25
  • 47
andymcintosh
  • 71
  • 2
  • 5
0

I solved in this way:

header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method, x_requested_with");

if ( "OPTIONS" === $_SERVER['REQUEST_METHOD'] ) {
    die();
}

Pay attention to add x_requested_with in Access-Control-Allow-Headers.

Mario Giancola
  • 33
  • 4