Valid Access-Control-Allow-Origin responses

Question

This is similar to jquery ajax add authentication header as it relates to the same API but this is more about valid values for the response to an OPTIONS request.

Given this:

$.ajax({
    url: "https://auspost.com.au/api/postcode/search.json?q=clayfield",
    headers: {
        'auth-key': '510839e3-****-****-****-6e04a56e9eb3'
    }
}, function (data) {
    var json = {
    json: JSON.stringify(data)
};
console.log(json);
});

I'm getting this response:

Access-Control-Allow-Headers:accept, auth-key
Access-Control-Allow-Methods:GET
Access-Control-Allow-Origin:
Access-Control-Max-Age:1200
Connection:keep-alive
Content-Length:0
Date:Fri, 13 Feb 2015 03:46:42 GMT
Server:nginx

which gives an error: The 'Access-Control-Allow-Origin' header contains the invalid value '' which means my origin is not allowed access.

Is it valid for the server to return an empty string (instead of my origin or *) for the Access-Control-Allow-Origin header? And if that is valid - how can I get my request to authenticate properly?

Answer 1

The "Access-Control-Allow-Origin" header contains an invalid value because it is blank in the response. The response must either return * or an actual, specified ASCII text for the origin.

W3 suggests the following

A resource can have one Access-Control-Allow-Origin header defined. The header must match the following ABNF:

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" ascii-origin | "*"

See: http://www.w3.org/TR/2008/WD-access-control-20080912/#access-control-allow-origin

As others have suggested, it is up to the server to return these values correctly based on the authorization you provide and your origin. Perhaps if you don't try to send the server values, the server won't return an invalid response.

**UPDATE - 2/15/2015 **

Upon further digging, I believe the issue is a combination of the server setup with your destination server and the process jquery / CORS work within a browser.

What seems to be happening at the server level is that if the AUTH-KEY is not present as a header value, then the server is configured to return an empty string in the Access-Control-Allow-Origin response header. This does not meet standards, but some choose this as a security precaution to ensure that no invalid CORS request is made.

This server behavior impacts the client behavior due to the pre-flight request resource processing model for CORS as defined by W3 (http://www.w3.org/TR/cors/#preflight-request), which is being followed by Jquery and your browser.

Before your actual request in which you've correctly set the AUTH-KEY in your request a header, a preflight request is generated as an OPTION request (in lieu of a GET) in order to allow the server an opportunity to tell the client whether CORS policy and authentication will allow the request to be processed.

The standards also specify that the headers you provide are not actually sent in this preflight request, but instead transformed into a single header value called "Access-Control-Request-Headers" (http://www.w3.org/TR/cors/#http-access-control-request-headers). For your specific request through jquery, you will see the following header transformation:

Access-Control-Request-Headers: accept, auth-key

Since the auth-key is not passed to the server, and as stated above, your server does not return a "valid" response to the OPTION request since this OPTION request does not contain your actual AUTH-KEY header but instead the Access-Control-Request-Headers header, and it is this empty Access-Control-Response-Headers response that generates the browser error while processing the XMLHttpRequest.

As a solution, I would try to setup a local server page in your preferred server-side page (PHP, .NET, whatever) that will perform a simple server-to-server request, and then use your ajax request against your local server-page proxy to get around the CORS issue described above.