13

EDIT: The question this is marked as a duplicate of does not:

  • Explain false reporting of a cors issue where none exists
  • Have the case of it working in Postman but not in browser.

I have this request generated from postman.

    POST /tvs/v1/sign HTTP/1.1
Host: sp.auth.adobe.com
Content-Type: application/x-www-form-urlencoded

cdn=akamai&mediaToken=PHNpZ25hdHVyZUluZm8%2BSUJwRWFRbW8xSktzb1JSdkRuclpDaVJmSjNKdHk5SW9ZSmp2bklNQlpnRlIrSTUxWHVoWVR2U1RYOXB6R2FuTVl0R3RHdG9WT20zbnlPSHNPOWpLUTUrNEJtNXlTWTFnNmRzVjIrTmJoVDgwazhKV2dURlNSL3YwZWozbmVjNUxSQ084cVpZbDNpdjF0Z1BNY2ZkaEdtalorUlpaNGR2YmFCVTE5bUpRRFYwPTxzaWduYXR1cmVJbmZvPjxhdXRoVG9rZW4%2BPHNlc3Npb25HVUlEPjY4NzViYjljNTdmMTFkY2YzZTgxODk0MDdmNjQ5MmFlPC9zZXNzaW9uR1VJRD48cmVxdWVzdG9ySUQ%2BZ29sZjwvcmVxdWVzdG9ySUQ%2BPHJlc291cmNlSUQ%2BPCFbQ0RBVEFbPHJzcyB2ZXJzaW9uPSIyLjAiIHhtbG5zOm1lZGlhPSJodHRwOi8vc2VhcmNoLnlhaG9vLmNvbS9tcnNzLyI%2BPGNoYW5uZWw%2BPHRpdGxlPmdvbGY8L3RpdGxlPjxpdGVtPjx0aXRsZT5BVCZhbXA7VCBCeXJvbiBOZWxzb24gLSBSZCAxPC90aXRsZT48Z3VpZD4yMTc2OTwvZ3VpZD48L2l0ZW0%2BPC9jaGFubmVsPjwvcnNzPl1dPjwvcmVzb3VyY2VJRD48dHRsPjQyMDAwMDwvdHRsPjxpc3N1ZVRpbWU%2BMjAxNi0wNS0xOSAxNTo1NToyOCAtMDcwMDwvaXNzdWVUaW1lPjxtdnBkSWQ%2BQ2FibGV2aXNpb248L212cGRJZD48L2F1dGhUb2tlbj4%3D&resource=PHJzcyB2ZXJzaW9uPSIyLjAiIHhtbG5zOm1lZGlhPSJodHRwOi8vc2VhcmNoLnlhaG9vLmNvbS9t+cnNzLyI%2BPGNoYW5uZWw%2BPHRpdGxlPmdvbGY8L3RpdGxlPjxpdGVtPjx0aXRsZT5BVCZhbXA7VCBC+eXJvbiBOZWxzb24gLSBSZCAxPC90aXRsZT48Z3VpZD4yMTc2OTwvZ3VpZD48L2l0ZW0%2BPC9jaGFu+bmVsPjwvcnNzPg%3D%3D&url=http%3A%2F%2Fgolfstreameast.golfchannel.com%2Fnbc09%2F8188bb65-0b4e-4c80-b609-a5f2b5d63f95%2Fgolf-live-extra0519113845.ism%2Fmanifest(format%3Dm3u8-aapl-v4)

If I send this off from Postman I'll get back "token_expired" which is what I expect.

However, when I generate this code in jQuery form and trigger it through a browser, as below, I get a CORS error:

XMLHttpRequest cannot load http://sp.auth.adobe.com/tvs/v1/sign. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://cms.devstream.nbcolympics.com:8080' is therefore not allowed access. The response had HTTP status code 403.

I'm serving the code below using http-server with the --cors option. I've aliased localhost. so I type alias:8080/index.html to reach my hosted file.

The question is this: Why does it work in Postman, but not in my browser?

Code:

var obj = {};
var endpoint = "http://sp.auth.adobe.com/tvs/v1/sign";
var sourceUrl;
function loadData(){
     obj.cdn = document.getElementById("cdn").value;
     obj.mediaToken = document.getElementById("mediaToken").value;
     obj.resource = document.getElementById("resource").value;
     obj.url = document.getElementById("url").value;

     var settings = {
      async: true,
      crossDomain: true,
      url: endpoint,
      method: "POST",
      headers: {
        "content-type": "application/x-www-form-urlencoded"
      },
      data: obj
    }

    $.ajax(settings).done(function (response) {
      console.log(response);
    });
}
  • 2
    One difference between Postman and browsers that I encountered is that browsers use pre flight request using the `options` request type. You'll need to allow such request by adding `Access-Control-Allow-Methods: POST, GET, OPTIONS` header on server side. – maxhb May 20 '16 at 13:30

1 Answers1

2

This is a false positive (negative?) It's not actually a cors issue.

With certain servers like this one, if you send over data that produces a 200, you won't get back a cors error. You'll get back what you expect.

If you send over data that produces a 403, the browser might interpret that as a false CORS error, when it really isn't.

So if you're reasonably certain that you're doing everything right, make sure you're sending a request that should return a 200.