0

I have a google chrome extension that logs in from SUGAR-CRM using XMLHttpRequest and after that, I send another GET request for fetching users data with the OAuth-Token token in the header but I am getting the Cross-Origin Resource Sharing (CORS) error:

Access to XMLHttpRequest at 'https://web-site/rest/v10/Users?order_by=first_name%3Aasc&max_num=1000&deleted=0&method=&input_type=JSON&response_type=JSON' from origin 'https://mail.google.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

My rest call function is:

function dorestCall(url, type, method, data, success_callback, error_callback, complete_callback) {
    $.ajax({
        url: url,
        data: {
            method: method,
            input_type: "JSON",
            response_type: "JSON",
            // rest_data: data //rest data
        },
        type: type, //GET Request
        beforeSend: function (xhr) {
            if (SUGAR.OAuthToken) {
                xhr.setRequestHeader("OAuth-Token", SUGAR.OAuthToken);
            }
        },
        success: function (data, textStatus, jqXHR) {
            if (success_callback) {
                success_callback(data, textStatus, jqXHR);
            }
        },
        error: function (xhr, error, errorThrown) {
            console.log("in error");
            if (error_callback) {
                error_callback(xhr, error, errorThrown);
            }
        },
        complete: function () {
            if (complete_callback) {
                complete_callback();
            }
        }
    });
 
}

My Request Headers are:

Request URL: https://site-url/rest/v10/Users?order_by=first_name%3Aasc&max_num=1000&deleted=0&method=&input_type=JSON&response_type=JSON

Referrer Policy: strict-origin-when-cross-origin

Accept: application/json, text/javascript, /; q=0.01

OAuth-Token: ///token///

Referer: https://mail.google.com/

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

X-Requested-With: XMLHttpRequest

order_by: first_name:asc

max_num: 1000

deleted: 0

method:

input_type: JSON

response_type: JSON

I have tried to set dataType: "jsonp", cors: true and headers: {'Access-Control-Allow-Origin': '*',} but nothing works for me.

Moeez Saiyam
  • 107
  • 3
  • 11
  • `Access-Control-Allow-Origin` is set by the **server** to allow your client access to the resource - if not set by the server, then the server simply does not allow your client access - make the request using **your server** and it possibly will work – Jaromanda X Oct 22 '20 at 05:39
  • Access-Control-Allow-Origin is already set by the server. Previously I have made a POST request from my chrome extension to get an O-Auth token that returned the status "OK" but now get_user and get_groups API is giving the error. Is there any issue with the rest Call function that is mentioned above or at the server-side? – Moeez Saiyam Oct 22 '20 at 07:18
  • does the server support `CORS preflight request` - because having `"OAuth-Token"` header will trigger a pre-flight `OPTIONS` request - if it's your server, you need to make sure you handle such method – Jaromanda X Oct 22 '20 at 08:08
  • This is a chrome extension that is integrated with Gmail, not a plain javascript code so I think Gmail is blocking the request. Can you tell me how to check if my server supports CORS preflight or not? – Moeez Saiyam Oct 22 '20 at 09:41
  • is it your server that is returning the `Response to preflight request doesn't pass access control check: It does not have HTTP ok status` error? if so, then it depends on your server code ... check t by checking you've implemented CORS correctly, just sending access-control headers for GET or POST isn't enough, you will have to handle the `OPTIONS` request correctly as well – Jaromanda X Oct 22 '20 at 09:44
  • I think that issue is related to Google Chrome because when I disable the "CORS for content scripts" from chrome://flags/#cors-for-content-scripts, everything starts working fine. Is there any possible solution so it works without disabling "CORS for content scripts"? – Moeez Saiyam Oct 23 '20 at 06:20
  • yes, don't make the request in a content script – Jaromanda X Oct 23 '20 at 06:34
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/223504/discussion-between-moeez-saiyam-and-jaromanda-x). – Moeez Saiyam Oct 23 '20 at 07:18

0 Answers0