0

im running 2 docker containers for some local testing. One is an API at websites.click, the other is webplanner.click:8081.

I'm attempting to request some data from my endpoint at websites.click/api/cache/clear-all, however im getting the following error:

Access to XMLHttpRequest at 'http://websites.click/api/cache/clear-all' from origin 'http://webplanner.click:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I'm requesting the data using Axios as follows:

window.axios.get('//websites.click/api/cache/clear-all', {

}).then(response => {
    console.log(response);
})

Now i'm assuming the issue is within my htaccess as the error mentions preflight redirect. This is the htaccess within websites.click/api/

RewriteEngine On
RewriteBase /api

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?request=$1 [QSA,NC,L]

Options All +Indexes
allow from all

I have also added the following to my /api/index.php which contains the Routes.

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');

Edit 1:

Made the recommended changes by removing the headers wet within the ajax request, still getting the same error:

Access to XMLHttpRequest at 'http://websites.click/api/cache/clear-all/' from origin 'http://webplanner.click:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

This is the request within the XHR tab:

Request URL: http://websites.click/api/cache/clear-all/
Accept: application/json, text/plain, */*
Referer: http://webplanner.click:8081/admin/cache
X-Requested-With: XMLHttpRequest
X-Socket-Id: 126436.7368245
Martyn Ball
  • 4,679
  • 8
  • 56
  • 126

1 Answers1

1

Read the error message carefully:

Redirect is not allowed for a preflight request.

So something on your server is causing it to respond to the OPTIONS request with a redirect.

You need to find out what and stop it.

Quite possibly it the common Apache HTTPD redirect from //websites.click/api/cache/clear-all to //websites.click/api/cache/clear-all/, which in case you need to change the URL in the JavaScript to the correct one in the first place.

What's more…

'Access-Control-Allow-Origin': '*', is a response header. It would be utterly stupid for client-side JavaScript to be able to set a header to give itself permission that it doesn't have by default. Get rid of that.

'Content-Type': 'application/json', — You're making a GET request. There is no content in the request body to describe the type of. Get rid of it!

… and setting non-standard headers and setting the Content-Type to one that isn't in a short list that doesn't include JSON are both things that trigger a preflight request in the first place … so if you didn't have that nonsense you wouldn't be making a preflight and you wouldn't have this problem in the first place.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • I have removed the headers set within the `Axios` request, and I have amended the URL to `http://websites.click/api/cache/clear-all/` and still getting the same error. – Martyn Ball Aug 30 '19 at 12:15
  • All else being equal, removing the header statements should have stopped the preflight. Are you certain that it is the **same** error and not a different CORS related error? – Quentin Aug 30 '19 at 12:16
  • Check the Network tab. See where the redirect is going to. I did say that it was only a possibility that the `/` was the difference. – Quentin Aug 30 '19 at 12:16
  • You need to look at the response to the OPTIONS request to see where it is being redirected to. – Quentin Aug 30 '19 at 12:20
  • And if you remove the code which sets `X-Requested-With: XMLHttpRequest` then you won't have a preflight. – Quentin Aug 30 '19 at 12:20
  • Not sure how to check the OPTIONS :/ Not something I have had to work with before. Also I believe `Axios` sets `X-Requested-With` – Martyn Ball Aug 30 '19 at 12:21
  • Actually I found where `X-Requested-With` is set, I removed this and the error was the same. – Martyn Ball Aug 30 '19 at 12:23
  • The OPTIONS request will be listed in the Network tab of the browser's developer tools. – Quentin Aug 30 '19 at 12:23
  • Click the x next to the Headers tab so you can see the full view of the list of requests. – Quentin Aug 30 '19 at 12:27
  • Still not OPTIONS tab i'm afraid! I'm using `Chrome`: https://i.imgur.com/Lsuejk3.jpg – Martyn Ball Aug 30 '19 at 12:29
  • Right click on the Name tab. Turn the Method tab on. – Quentin Aug 30 '19 at 12:30
  • Method is set to GET – Martyn Ball Aug 30 '19 at 12:31
  • The error message said there was a problem with the preflight request. It shouldn't be making the GET request at all. Are you sure the error message hasn't changed? – Quentin Aug 30 '19 at 12:32
  • Another option is to make a CURL request instead of aJax request? – Martyn Ball Aug 30 '19 at 12:40
  • https://stackoverflow.com/questions/57410051/chrome-not-showing-options-requests-in-network-tab - turns out Chrome now doesn't handle OPTIONS requests itself by default. You'll need to adjust your settings to debug it. – Quentin Aug 30 '19 at 12:47
  • I now get OPTIONS within the method after doing the above. Status code of 302, Location: /index.php – Martyn Ball Aug 30 '19 at 12:59
  • So figure out why you are getting a 302 redirect to index.php – Quentin Aug 30 '19 at 13:00
  • Well this will be due to the `htaccess` file which I posted originally? – Martyn Ball Aug 30 '19 at 13:00
  • I'm not an expert on mod_rewrite, but I don't see an `R` option there so I would have expected it to perform an internal redirect. If that isn't the case… then don't do that. – Quentin Aug 30 '19 at 13:01