10

I have a website and my REST api server.

I do ajax post request to the REST server to create new model. Answer for this request will be "HTTP/1.1 201 Created" response with header "Location: http://myapi.com/some/path/111" But I get error message Refused to get unsafe header "Location". I know that this is because of cross domain access policy and other bla bla bla.

Does anybody knows how to fix it? Maybe I have to add "Access-Controll-Allow-SOMETHINGHERE" header to the response?

UPD:

Web site URL http://www.mydomain.com/

Original URI is http://api.mydomain.com/model/ and new Location URI is http://api.mydomain.com/model/211

Original URI is used for ajax POST request, which responses with new Location header.

Eugene Manuilov
  • 4,271
  • 8
  • 32
  • 48

4 Answers4

8

It's because Location header is not exposed to calling client (in this case your ajax code) by default (it's 'unsafe'). To expose it you have to return additional header:

Access-Control-Expose-Headers: Location

This way browser will expose it, so the client can read it. You can add there multiple comma separated headers. More about it here. Here you can read which methods, headers & content types are safe (simple) and don't require any additional configuration.

MeTTeO
  • 2,088
  • 16
  • 19
  • Can you display this in the full code? – Evan Erickson Nov 04 '21 at 21:45
  • @EvanErickson it depends what backend language you use. For java when using Servlet Filter you can use `HttpServletResponse.setHeader("Access-Control-Expose-Headers", "Location");` In PHP I believe you could use `header('Access-Control-Expose-Headers: Location');` However I don't recommend such manual approach. You should be using a complete component which adds support for CORS in your app and allows configuration of allowed methods / headers (for Java: https://github.com/search?l=Java&q=cors+filter&type=Repositories) – MeTTeO Nov 28 '21 at 18:22
  • Yeah, unfortunately no one told BlueSnap that. That company has a credit card api which requires you to get a response from the location headers... Why they didn't put the payload in the body of the response I will never know. They want you to parse a header. Terrible company. – Evan Erickson Nov 30 '21 at 05:12
2

For Amazon S3 uploads (via Dropzone for instance) you need this in your CORS configuration.

<ExposeHeader>location</ExposeHeader>
Ryan
  • 4,594
  • 1
  • 32
  • 35
1

I'd just work around it, either by returning the new location as a value from the call or having the client code know where the newly created item is stored.

Another option is to create a proxy for the calls on the original domain.

Jeff Day
  • 3,629
  • 1
  • 18
  • 12
0
header Location: http://myapi.com/some/path/111"

That piece of code is completely wrong. Use it correct, or almost corret.

Try this:

header("Location: http://myapi.com/some/path/111");

or

header("Location: http://myapi.com/some/path/111"); exit();

If this not work, let me know :-)

Stian
  • 649
  • 3
  • 7
  • 15
  • 1
    Thanks Stian, but I know how to add Location header with PHP. The problem is in cross domain policy or something like this. I get error `Refused to get unsafe header “Location”` in browser console, instead of going by new URI. – Eugene Manuilov Oct 09 '11 at 09:00