3

My firefox is issuing an OPTIONS preflight request to my private backend to make a subsequent GET request with credentials.

The preflight request includes the headers

Origin http://localhost:9670
Access-Control-Request-Headers authorization
Access-Control-Request-Method GET

My server responds with

Access-Control-Allow-Credentials true
Access-Control-Allow-Origin http://localhost:9670
Vary: Origin

According to the docs I found that should be fine.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

Anyway, my firefox still states

CORS Missing Allow Header

in the Transferred section of the Network tab in the Developer Console.

What is my server response missing?

ulrich
  • 1,431
  • 3
  • 17
  • 46
  • Were you trying to run firefox with ng serve? This would be helpful 2 hours ago before finally finding this question/answer. – Collin Jun 09 '22 at 19:18

1 Answers1

11

In addition to

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:9670
Vary: Origin

the response to the preflight request must also contain

Access-Control-Allow-Headers: Authorization

Otherwise, the access control check will fail and your browser won't send the actual (preflighted) request. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Are you implementing CORS from scratch in the backend? If so, why not use a (good) CORS library, which you could configure to take care of all this for you?

jub0bs
  • 60,866
  • 25
  • 183
  • 186
  • 1
    I added those two headers and the preflight goes through now! Thanks. – ulrich Oct 07 '21 at 09:59
  • 1
    I have to check about the cors library, that might be a good idea. – ulrich Oct 07 '21 at 10:08
  • Even with Authorization header I still received the error. Turned out I needed `header('Access-Control-Allow-Headers: authorization,x-csrf-token')`. Basically check the content of `$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']` and see if you might need to add more to your response header. See also: https://stackoverflow.com/questions/8719276/cross-origin-request-headerscors-with-php-headers – nuala Jun 23 '22 at 10:21