17

How would a preflighted HTTP request look like if you include Basic auth? Like the following conversation? Im having trouble to understand which headers need to be sent where, also because its not possible to debug it properly with Firebug

Client:

OPTIONS /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Origin: http://jsconsole.com

Server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true

Client:

GET /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Access-Control-Allow-Credentials: true
Origin: http://jsconsole.com

Server:

HTTP/1.1 401 Unauthorized
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
WWW-Authenticate: Basic realm="Authorisation Required"

Client:

GET /api/resource HTTP/1.1
Access-Control-Allow-Credentials: true
Authorization: Basic base64encodedUserAndPassword
Access-Control-Request-Method: GET
Origin: http://jsconsole.com

Server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
user1703761
  • 1,086
  • 3
  • 11
  • 23
  • See the "CORS with basic auth" section a bit midway through the article at http://avalanche123.com/blog/2011/10/10/cross-domain-javascript-lessons-learned/ – Ray Nicholus Aug 29 '13 at 03:21
  • Unfortunately the avalanche blog entry is out of date. Chrome totally supports basic auth. IE however does not unless you play around with the security settings. – ianbeks Dec 09 '13 at 15:09

1 Answers1

20

If you're requesting credentials then the server must respond with the specific origin in the Access-Control-Allow-Origin response header (and thus can't use the wildcard *). Of course it would then also need to respond with Access-Control-Allow-Credentials response header too.

Brock Allen
  • 7,385
  • 19
  • 24
  • 1
    And the Access-Control-Allow-Headers is not actually required. FF/Chrome work without it. However IE's implementation of CORS does not support basic authentication at all unless you play around with its security settings (Enable cross domain requests) – ianbeks Dec 09 '13 at 15:12
  • 1
    Yea, it depends how you're doing basic auth. If you manually craft the authorization header then you're right, but if you want the browser to supply it then the allow credentials is needed. – Brock Allen Feb 19 '14 at 16:22