2

I'm trying to send a file to rackspace via AJAX. This is my first time looking at CORS. I see in the documentation the option to send a preflight request, however since I personally set the header and know that my origin is valid I'm trying to forgo, these are the headers from my upload endpoint:

HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 2
Accept-Ranges: bytes
X-Container-Meta-Access-Log-Delivery: false
X-Container-Meta-Access-Control-Expose-Headers: etag location x-timestamp x-trans-id
X-Timestamp: 1401852621.29287
X-Container-Meta-Access-Control-Allow-Origin: h ttp://localhost:8080**<-- (manually added the space after "h" so stackoverflow would let me submit) 
X-Container-Bytes-Used: 5572910
Content-Type: text/plain; charset=utf-8
X-Trans-Id: txfc64055cb1114b6fb0ef6-0053a77a46ord1
Date: Mon, 23 Jun 2014 00:52:22 GMT

However, whenever I try to send the request it immediate fails in chrome with the following message:

XMLHttpRequest cannot load [**I'm redacting my actual endpoint**]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'h ttp://localhost:8080' is therefore not allowed access.

Here are my request headers:

Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryZSg4nEq8EDaXQQBu
Origin:h ttp://localhost:8080
Referer:h ttp://localhost:8080/tools/artwork
<-- (manually added the space after "h" so stackoverflow would let me submit) 
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36

What am I missing? Is preflight request required even if you know origin is permitted? I never see a packet come back to seems like Chrome isn't sending?

karthikr
  • 97,368
  • 26
  • 197
  • 188
Tim Lindsey
  • 727
  • 1
  • 7
  • 18

2 Answers2

3

Yes, preflight is required any time your CORS request is not of the "simple" variety--meaning, you have a method other than GET, HEAD, or POST, a content type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain, or your request sets a custom header.

Regardless of this, however, the response you've pasted does not contain Access-Control-Allow-Origin (it has X-Container-Meta-Access-Control-Allow-Origin) in the first place, which is why your request was rejected.

Jeff Hubbard
  • 9,822
  • 3
  • 30
  • 28
  • Jeff, this is a post I'm trying to send, and per the rackspace docs they don't seem to support setting the Access-Control-Allow-Origin header, just the "X-Container-Meta-Access-Control-Allow-Origin" header – Tim Lindsey Jun 23 '14 at 01:38
  • If the origin server doesn't send back the correct headers, there's nothing you can do. That's just how CORS works. – Jeff Hubbard Jun 23 '14 at 06:16
  • That was it! my request sets a custom header – Oded Breiner Sep 11 '16 at 11:45
0

In your server,add Access-Control-Allow-Origin: http://foo.example header.

For example in Spring Controller, response.setHeader("Access-Control-Allow-Origin", "http:localhost:8080");

Additional things, 

Access-Control-Allow-Origin: http://foo.example   // you can add as many urls separated by commas or '*' to allow all urs
Access-Control-Allow-Methods: POST, GET, OPTIONS // Request method options separated by commas
Access-Control-Allow-Headers: X-PINGOTHER
Access-Control-Max-Age: 1728000      // expiration in milliseconds

Refer this MDN site.

Bharath
  • 519
  • 4
  • 7
  • The endpoint is rackspace, which as it appears in their docs (http://docs.rackspace.com/files/api/v1/cf-devguide/content/CORS_Container_Header-d1e1300.html) doesn't seem to allow me to set "Access-Control-Allow-Origin" just X-Container-Meta-Access-Control-Allow-Origin – Tim Lindsey Jun 23 '14 at 01:19
  • As per this [Documentation](http://docs.rackspace.com/files/api/v1/cf-devguide/content/CORS_Container_Header-d1e1300.html), they are allowing only three headers. So have you set all the three? – Bharath Jun 23 '14 at 01:26