HttpHeaders not being added when making a GET request in Chrome

Question

I'm attempting to append an authorization token onto my GET request for a list of users. Here's a list of what I've done:

I've looked at this question here in which the answer suggests several things including:

Setting the header directly in the request:

    let headers = new HttpHeaders().set('Authorization', 'Token fsadf423qfsadfsda');
    return this.httpClient.get('https/my-url/api/users/', { headers: headers });

Cloning the request in the interceptor and appending the headers:

    let apiUrl = environment.apiUrl;
    const headers = new HttpHeaders({ 'Authorization': 'Token fsadf423qfsadfsda' });
    const apiReq = req.clone({ headers: headers, url: `${apiUrl}${req.url}` });
    return next.handle(apiReq);

The last point above actually works in Safari but not in Chrome. I selected the Disable Cross-Origin Restrictions in Safari and it worked.

In Chrome I already have installed the CORS Toggle extension and have it running but it doesn't work, nor does running Chrome from the command line like this:

open -a Google\ Chrome --args --disable-web-security

Is this a Chrome specific issue? My version is Version 65.0.3325.181

EDIT

Screenshot of the requests:

EDIT 2

A nice article on understanding CORS

@AkankshaGaur Why? Also - it doesn't work on both Chrome and Safari — Katana24, Apr 10 '18 at 11:07
https://security.stackexchange.com/questions/108662/why-is-bearer-required-before-the-token-in-authorization-header-in-a-http-re — Akanksha Gaur, Apr 10 '18 at 11:10
how did you check it's not working? Did you make sure you're looking at the GET request, and not the OPTIONS request? — David, Apr 10 '18 at 11:57
@David According to the network tab there's only one request coming and it's an OPTIONS which suggest the GET is being transformed. See my edit for a screenshot — Katana24, Apr 10 '18 at 12:33

David · Accepted Answer · 2018-04-10T12:47:05.670

1

It's normal behaviour, due to CORS implementation.

By default, the preflight request will NOT send any custom headers, like Authorization.

The Authorization header will be added only when the real GET request gets executed, after the OPTIONS request.

For the OPTIONS request to successfully execute, you need to make sure you configure CORS headers correctly server-side

Make sure you read the browser's debugger messages, they usually tell you which CORS headers is missing/invalid

edited Apr 10 '18 at 12:47

answered Apr 10 '18 at 12:41

David

33,444
11
80
118

So from the screenshot above which should the server have? – Katana24 Apr 10 '18 at 13:16
From your screenshot above your server is badly configured since it returns a 401 for the OPTIONS request. The OPTIONS request should just return a 200 http code It's probably because your server checks for the Authorization header for an OPTIONS request (which it should NOT do) – David Apr 10 '18 at 13:18

HttpHeaders not being added when making a GET request in Chrome

1 Answers1