7

I'm trying to use angularJS with a Jetty backend.

Preflight CORS requests are working fine in chrome but in firefox I get this CORS error: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://remote.machine:8080/api/v1/provisioning/users/current-user. This can be fixed by moving the resource to the same domain or enabling CORS.

The Headers for the options request are as follows:

HTTP/1.1 200 OK
Date: Wed, 24 Sep 2014 16:06:12 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Frame-Options: DENY
Access-Control-Allow-Methods: GET, PUT, POST, OPTIONS, DELETE
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Access-Control-Allow-Headers: Origin, Authorization, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Credentials: true
Set-Cookie: JSESSIONID=eyv8cpnnfphy1b0121uzt293y;Path=/
Content-Length: 0
Server: Jetty(9.2.2.v20140723)

The angular request is set up as follows:

$http.get(AS_API_URL + '/provisioning/users/current-user', {
            headers: {
                'Authorization': 'Basic ' + base64EncodedAuth               
            }
        });

For some reason these headers work fine in Chrome but not in Firefox, does anyone have a clue as to why? Do I need to provide more info?

EDIT:

Musa was right about the Access-Control-Allow-Headers being malformed. I edited the Jetty Server so the header now reads:

Access-Control-Allow-Headers: Origin, Authorization, X-Requested-With, Content-Type, Accept

I give my thanks to you Musa, you just saved my day :)

Nordfjord
  • 162
  • 1
  • 7
  • 5
    Your `Access-Control-Allow-Headers` header seems malformed. – Musa Sep 24 '14 at 16:14
  • Have a look at the security certificate/add the domain/website to an exception list? Related question: http://stackoverflow.com/questions/24371734/firefox-cors-request-giving-cross-origin-request-blocked-despite-headers – stackErr Sep 24 '14 at 16:15
  • @Musa, Form your question as an answer so OP can accept it. Nordfjord, as far as I know, CORS doesn't affect Get requests. – Owen Sep 24 '14 at 16:27
  • @Owen that's not true. CORS affects any and all requests to a web server. The web server must return "Access-Control-Allow-Origin" with a specific host as its value. Use * as a wildcard to accept any host. Another header is "Access-Control-Allow-Headers" with the following as its values: "Origin, X-Requested-With, Content-Type, Accept". The CORS headers must be added to the server-side. I wrote a Java class example at http://stackoverflow.com/questions/23346863/deployd-data-retrieved-via-angularjs-cors/23434583#23434583 for the Wildfly web server. The browser shouldn't matter. – javaauthority Feb 10 '15 at 06:32

1 Answers1

1

To expand upon Musa's answer in the comments, Firefox is blocking the request because the following header has the header twice instead of once:

Access-Control-Allow-Headers: Access-Control-Allow-Headers: Origin, Authorization, X-Requested-With, Content-Type, Accept

should be changed to

Access-Control-Allow-Headers: Origin, Authorization, X-Requested-With, Content-Type, Accept
Josh Correia
  • 3,807
  • 3
  • 33
  • 50