I'm doing a cross site AJAX post to a laravel website while maintaining the session. This is the JS on the client website and the laravel middleware on my server.
Client js
var formData = new FormData();
formData.append('Referer', document.referrer);
var xmlHttp = new XMLHttpRequest();
xmlHttp.open("post", "https://mywebsite.com/record");
xmlHttp.withCredentials = true;
xmlHttp.send(formData);
Server middleware
public function handle($request, Closure $next)
{
return $next($request)
->header('Access-Control-Allow-Origin', $request->header('Origin'))
->header('Access-Control-Allow-Credential', 'true')
->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
}
It seems to be working fine in the 3 browsers I've tested it in so far however it does seem to throw up an error of
XMLHttpRequest cannot load https://mywebsite.com/record. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. Origin 'http://clientwebsite.com' is therefore not allowed access.
This is what the server sends back in fiddler.
Access-Control-Allow-Origin: http://clientwebsite.com
Access-Control-Allow-Credential: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Two questions.
Question 1
First I can't understand why its saying its not working when I know it is? I can see the requests making it to the server then populating my database and I can see them being sent in fiddler.
Question 2
There is obviously something wrong with the headers but I'm not sure what?
I can see someone else has had the same issue but I wasn't able to make sense of the answer and I tried changing the header to "Access-Control-Allow-Credentials = true".
Credentials flag is 'true', but the 'Access-Control-Allow-Credentials
