1

I am familiar with CORS and Access-Control-Allow-* headers.

I am making a CORS XHR request that has a new Geoposition header previously not specified within the OPTIONS response Access-Control-Allow-Headers header.

When I attach my client to a new service instance, the OPTIONS and POST requests work.

When I attach my client to an older service instance, the OPTIONS response has code 200 but the POST is failed by Chrome with code 0 and

Request header field Geoposition is not allowed by Access-Control-Allow-Headers.

How do I inspect the OPTIONS response headers (within onResponseRecieved?) so that I can omit/remove the offending Geoposition header and resubmit the request?

Stevko
  • 4,345
  • 6
  • 39
  • 66

1 Answers1

4

The Access-Control-Allow-Headers header is sent by the CORS server in response to the OPTIONS preflight call. If it does not permit the given header, the browser fails the request before it is even sent (hence the 0 status code), and reports back to you.

You do not control the preflight call - you don't get to create the call, set it up, or deal with the results. This is entirely managed by the browser, as a conversation with the server, to see if this client is permitted to 'bend the rules'. You have no access to this whatsoever, and this is a good thing, it is what makes CORS usable without exposing sites to various XSRF attacks.

So, since you can't inspect the headers, how else can we find out from the browser what is or isn't legal? Why not the error message?

Request header field Geoposition is not allowed by Access-Control-Allow-Headers.

I'm not certain if there is a better way than this, nor am I certain that there should be. If you are allowed to collaborate with the remote endpoint and ask for changes, consider asking them to allow an endpoint which checks for which headers are supported, or re-send this header on other requests (that are not preflights) so that you know what you are limited to.

References:

Community
  • 1
  • 1
Colin Alworth
  • 17,801
  • 2
  • 26
  • 39