CORS / xhr.getRequestHeaders

Question

Greetings,

I am trying to use CORS (http://www.w3.org/TR/2009/WD-cors-20090317/#access-control-allow-methods-header) for an application on Safari, and when I try to read the response headers from the XMLHTTPRequest, I only receive the Content-Type. None of the other quite standard headers gets through, and I cannot figure out how to get this to work.

Anyone would happen to know how to fix this issue? Could this be a WebKit bug?

Edit

here is the config i use with nGinx:

add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers Cache-Control,Pragma,Date;
add_header Access-Control-Allow-Methods GET,POST;

What are you using for your server? I'm doing this using Ruby and Sinatra with no trouble although getting it set up initially was a bit difficult. — Hemlock, Jan 17 '11 at 12:22
nGinx. The date header is present, and i'll update my question with the current config. — Marc Trudel, Jan 17 '11 at 12:24
I suspect this the first problem you'll have to work out: http://stackoverflow.com/questions/227939/handling-options-request-in-nginx. Pre-flight won't work. You may be able to get basic GET working if you make sure no X- headers are sent. — Hemlock, Jan 17 '11 at 12:37
I tried with preflight, and it didnt work either... besides, the Date header is pretty standard, and i dont want to increase my header size by having twice the same Date info in different fields. — Marc Trudel, Jan 17 '11 at 12:48
Did you ever find a solution to this? I ran into the exact same problem last week. CORS requests go through and I get the data back -- but I can't access the responseHeaders. Bit of a problem for me since the API I'm using returns 201:s with the Location header pointing to the resource ;) — Christoffer Klang, Apr 08 '11 at 09:14
As far as I have seen, no, there was no solution. We just ended up changing the way we were splitting resources on our network... as far as I have found, however, so far no headers except one or two are considered safe by most browser supporting CORS calls. I could add it as an answer, but the W3C doc being incomplete and the browser behavior specs sparse, I cannot confirm entirely. — Marc Trudel, May 06 '11 at 03:14

score 1 · Answer 1 · edited May 23 '17 at 11:52

1

In order for headers to be exposes to JS, you need to set the Access-Control-Expose-Headers header to a comma-separated list of headers you want to expose.

Unfortunately, this header is poorly supported. Mozilla only implemented it in Firefox 4, Webkit as of this moment still does not implement it. I am not sure about IE8 and above (google didn't turn up anything useful, and I don't have them around to test with myself).

(see also eg. Restrictions of XMLHttpRequest's getResponseHeader()? )

edited May 23 '17 at 11:52

Community

1
1

answered Oct 05 '11 at 14:15

Gijs

5,201
1
27
42

Should have updated the question with that info... I had found this at the time, and just got lazy :S However I *think* that this didn't work when we tried it. I'll try soon and see what happens. – Marc Trudel Feb 09 '12 at 11:22

score 0 · Answer 2 · edited May 23 '17 at 12:29

I've been in same situation yesterday. https://stackoverflow.com/users/713326/gijs gave you the right answer but there is another part that is specific to nginx that you have to take care. "add header" is working only in the case where the response from a service is successful (200, 204, 301, 302 or 304). You have to do a custom build of nginx to include HttpHeadersMoreModule (http://wiki.nginx.org/HttpHeadersMoreModule). After you have to replace add_header with more_set_headers.

Example:

    more_set_headers 'Access-Control-Allow-Origin: $http_origin';
    more_set_headers 'Access-Control-Allow-Credentials: false';
    more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, PATCH, DELETE';
    more_set_headers 'Access-Control-Allow-Headers:Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Accept,Authorization;
    more_set_headers 'Access-Control-Expose-Headers: Location';

score 0 · Answer 3 · answered Dec 30 '13 at 10:49

REQUEST:

$.ajax({
            url: "http://localhost:8079/students/add/",
            type: "POST",
            crossDomain: true,
            data: JSON.stringify(somejson),
            dataType: "json",
            success: function (response) {
                var resp = JSON.parse(response)
                alert(resp.status);
            },
            error: function (xhr, status) {
                alert("error");
            }
        });

RESPONSE:

response = HttpResponse(json.dumps('{"status" : "success"}'))
response.__setitem__("Content-type", "application/json")
response.__setitem__("Access-Control-Allow-Origin", "*")

return response

score 0 · Answer 4 · answered Jan 22 '11 at 16:25

0

Have you verified that your server is actually emitting the Cache-Control, Pragma and Date headers? Perhaps set up a Wireshark trace on the client to see the actual HTTP headers that are being exchanged?

answered Jan 22 '11 at 16:25

monsur

45,581
16
101
95

The date header gets out, which is the only one I am concerned about at the moment. But it doesnt make it through JS; only the Content-type header is available, all other accesses to the headers being flagged as unsafe. – Marc Trudel Jan 24 '11 at 07:51

CORS / xhr.getRequestHeaders

4 Answers4

Linked