0

I have an API built on CakePHP. It works for the most part but every once in a while browser access to the API dies. The error message on the XHR request response is:

'Access to XMLHttpRequest at 'http://be:8888/api/pings' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

However if I make exactly the same request via POSTMAN (or if I browse directly to the URL, rather than via XHR) it works without any trouble. I thought it might be a pre-flight OPTIONS issue but the request headers don't list a Request Method and the Apache access log shows these to be GET requests. There's nothing related in the Apache error log.

Restarting MAMP – i.e. Apache – does not fix the issue, nor does flushing the local DNS cache. The only thing that fixes it is a restart, after which it all works fine again for a few hours before eventually going on the blink again.

I can't think of what's causing this. I don't think it's a true CORS middleware error because the restart fixes it and the API is accessible normally. Also if I put a die in during the CORS middleware __invoke method it doesn't get that far (the die in the webroot index should be hit first anyway).

I get this error even if I disable the app by putting die('here'); at the start of the webroot index.php file.

Even if I delete the index.php files (both in the project root and webroot) so that browsing to the URL shows Apache's default error 404 not found: The requested URL /webroot/index.php was not found on this server, I still get the CORS errors when trying via XHR in the browser.

I've only noticed this issue since upgrading to Mac OS X Catalina.

What could be causing this?

[Update:] Here's proof that it is working in the browser after a system restart:

Summary
URL: http://be:8888/api/clients
Status: 200 OK
Source: Network
Address: ::1.8888

Request
GET /api/clients HTTP/1.1
Accept: application/vnd.api+json
Content-Type: application/vnd.api+json
Origin: http://localhost:8080
Accept-Language: en-gb
Access-Control-Allow-Origin: *
Host: be:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Connection: keep-alive

However, after a few hours it stops working. If it was actually a CORS issue my understanding is that it would NEVER work.

geoidesic
  • 4,649
  • 3
  • 39
  • 59
  • If it were a preflight problem then the error message would mention that. Do you see the same problem in other browsers? Do you have some sort of authentication in place that might be expiring? Try inspecting the response of a failed request in the Network tab of the developer tools and compare that to a succeeding request. – skirtle Feb 29 '20 at 15:23
  • Have you seen https://stackoverflow.com/a/10892392/2403513 ? CORS and localhost don't work in Chrome and other browsers – Andy Hoffner Feb 29 '20 at 19:40
  • @skirtle Yes, same problem in other browsers but not via POSTMAN. There's no response at all in the failed request. – geoidesic Feb 29 '20 at 19:41
  • @ahoffner thx but I think that link has answers that are confused and incorrect. Definitely does work on Chrome and other browsers. As I state in my original question it works most of the time, it just stops working after a period of time. – geoidesic Feb 29 '20 at 19:44
  • @geoidesic Wild guess but personally I'd try `netstat` or similar to check you don't have some sort of TCP port leak. You may have ports sitting around in waiting states long after they were used. – skirtle Feb 29 '20 at 20:02
  • 1
    Might be helpful to post what your access control headers are in the vhost/htaccess file. The reason it's always working in Postman is that Postman doesn't care about same origin policy, browsers do. – Andy Hoffner Feb 29 '20 at 20:18
  • @ahoffner the htaccess is all standard for CakePHP no changes there and nothing in there related to CORS. – geoidesic Feb 29 '20 at 20:57

1 Answers1

0

I'm not an Apache/PHP professional, but make sure you query HTTPS via HTTPS and http via http, other words, both sides should be same. Also, check the request header. And add "access-control-origin" in request header.

Wanming Hu
  • 28
  • 5
  • Yes, thank you, all of that is checked. As I said it works, so the config is correct. It's just that after a certain amount of time it stops working. It will work again after a restart of the computer, even though no code has changed. – geoidesic Feb 29 '20 at 12:39
  • I came back to this question again, recently, I met a interesting problem that I think Id like to share it. I made a mistake in the back end , it throws an run time exception. So this suppose to be a code 500, right? instead the server tell me: it is a cors issue. So I fixed the exception and everything is fine. While this is C# on Azure, not sure if Apache do the same thing. – Wanming Hu May 04 '20 at 00:21