-1

I published API to IIS server and everything works fine despite of one function: error on localhost

Error only shows up when we test a function on localhost, but if i use postman everything work. That is the only place in my code where i use Cors: Code with cors Postman What can i do to allow sendind request on localhost?

dejordi
  • 5
  • 3
  • 1
    It works through postman because CORS is a browser implementation thing. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS is great reading on the subject. So basically it is telling you that the token service does not allow you to call it cross-origin. CORS is a response header that the browser checks. 1. Browser sends request to token service 2. Token service responds. 3. Browser checks if CORS is allowed. 4. No. 5. Fail. – VisualBean Jul 23 '21 at 08:48
  • So basicly Token service has it's own CORS policy? – dejordi Jul 23 '21 at 08:51
  • Correct, or rather, probably, None. You could check the response in the network tab to see if it has a CORS header – VisualBean Jul 23 '21 at 08:54

1 Answers1

0

It works through postman because CORS is a browser implementation thing. Which is also why some calls might work through older IE versions. Postman does not check the CORS header and thus does not care.
CORS is to prevent XSS (I believe).

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS is great reading on the subject.

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources.

So basically it is telling you that the token service does not allow you to call it cross-origin.
CORS is a response header that the browser checks.

  1. Browser sends request to token service
  2. Token service responds.
  3. Browser checks if CORS is allowed.
  4. No.
  5. Fail the "request".

TLDR; CORS is a response header, that the browser checks for whether or not to allow the response to go through to you. The header must be set by the service you are calling.

VisualBean
  • 4,908
  • 2
  • 28
  • 57
  • I found some other answers here: https://stackoverflow.com/questions/36285253/enable-cors-for-web-api-2-and-owin-token-authentication and basicly it's saying that i need to enable cors only once, but it is not working in my case. Do you have any idea why? – dejordi Jul 23 '21 at 08:55
  • It doesn't work just enabling it for your web service. That just means that others can call you web service from which ever domains (or *). the token service needs to allow CORS. (atleast to my understanding). Do you own the token service? If so, try spinning that up locally as well. calling localhost (same domain) will be allowed by the browser. The header must be set by the service you are calling. – VisualBean Jul 23 '21 at 08:58
  • You could feasibly try and start Chrome (if you are using Chrome) with the `--disable-web-security` flag. see https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome – VisualBean Jul 23 '21 at 09:02