In my react-admin application, I'm sending two api hits for each create action and I'm not sure why.
Network Tab Data
I have the django REST framework backend running as well, could this be the issue?
Your API is probably on another domain than the HTML page, so your browser sends a CORS preflight request to the server with the HTTP OPTIONS verb before sending a GET or a PUT. This is absolutely normal and there is nothing you can do to prevent it - apart from putting your API and your webapp on the same domain.
More information about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Related
I set up cors in azure storage (URL-for example: www.abc.com, GET, * , *, 200)
Then i just copy the link from storage
https://demo.blob.core.windows.net/demo/demo.png
And use it on postman or localhost (web), but still can display pictures, is it normal?
I suppose postman and localhost website will not be able to get images, once cors is set up for azure storage.
CORS prevents cross domain requests that are usually send by AJAX requests. If such a request is send from your browser it will perform a preflight request to see if your current domain is allowed to make such a request. As example it would prevent this site from sending a POST request in the background to api.<yourbank>.com to transfer money.
It won't stop anybody from embedding an image or other file on their website as the browser won't perform such a preflight request unless they call the resource through an AJAX request. Likewise Postman won't do that as it's a testing tool where you explicitely define the request you want to send without being on another 'domain'.
I have a webservice working on a domain say www.abc.com . I want to configure my server so that none of the request coming from another domain (except from www.abc.com) will be accepted. I should not use user authentication or anything related to token based authentication. So, the only option i can think is CORS but i do not exactly know how to use it. Any help would be great.
I am using nodejs and express
Don't set a CORS header. Done.
To address your comment: Postman doesn't make Ajax requests, it makes requests. If you don't indicate in Postman that it's an Ajax request, it's just a standard client request.
See also how Postman send requests? ajax, same origin policy for some more details.
Hi I have a question about azure mobile apps.
Can I confirm HTTP request including header, body and url parameter in azure mobile apps when troubleshooting?
If yes, how can I confirm that?
For example, let me assume that client send a HTTP request to azure mobile apps, and a the response is bad request(status code 400).
Then I would like to figure out the cause.
First of all I set [Diagnostics log] - [Web server logging] as Storage in portal.azure.com,and confirmed the IIS log.
But there is no header, body info in the HTTP request.
So I did not find out the cause by that log.
Finally problem is solved by client logs by taking fiddler and cause is wrong info in body of the http request.
Above all, by taking fiddler log in client side, I was able to solve the problem but I would like to know if there is a way to confirm http request's header, body and url parameter in azure mobile apps side.
You can log the inbound query on the client or server side, or use something like Fiddler. For the server side, just use regular methods for Node.js or ASP.NET - nothing special is needed. For the client side, I documented the process for all platforms on my blog. Although the documentation is for adjusting the HTTP request, it's the same recipe for logging.
I am using Azure DocumentDB with REST API and trying to call the API from HTML page using Ajax requests. But I found that authorization headers are not getting added in a request. After searching, a lot, I found that it may be a CORS issue. Same request works well when POSTMAN tool is used. Security header got set in this case.
You're correct! DocumentDB REST API can't be called using AJAX from the browser because of CORS and right now it is not possible to configure CORS settings for a DocumentDB account.
I am currently developing an API that will be launched into production in a matter of weeks. I am relatively new to REST, started reading about CORS - and realized that it could impact me.
What conditions will a REST service not be accessible to a client? I have been using sample html/js on the same server, and through Postman - a google chrome addon - to access my API. I have had no issues so far.
When the API goes live, it will be hosted at 'api.myserver.com'. Requests, at the beginning, will come from 'app.myOTHERserver.com'. Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain?
What about accessing rest APIs from other non-browser clients? Such as a C# application? Are these requests permitted by default?
Assuming I do need to add 'access-control' headers server-side, to permit the scenario described above when my API goes live, is it better (performance-wise) to let your web server (NGINX in my case) handle the headers, or should I add them through PHP or NodeJS?
This is more about the same-origin policy applied by web browsers than it is about RESTful APIs in general.
If your API is intended to be used by web applications deployed on a different origin host/port than the API, then you have these options:
Respond with appropriate headers that allow for techniques like CORS to work.
Have the web server which serves up your web content (in your example, app.myOTHERserver.com) handle your REST API requests too by proxifying your API requests from the web server through to the API server. For example, you could have your API exposed on your web server under the URL /api, and then it's just a matter of setting up a web proxy configuration that forwards requests under that URL to your API server.
Use JSONP or other techniques.
If your API is going to be used by non-web applications, you have nothing to worry about. This is only a restriction applied by browsers when running JavaScript code to make sure that the user hasn't inadvertently clicked on a phishing link with some hackery in it that tries to send their PayPal password to Pyongyang.
When the API goes live, it will be hosted at 'api.myserver.com'.
Requests, at the beginning, will come from 'app.myOTHERserver.com'.
Will these requests be denied if I do not use a CORS-friendly approach
like JSONP or special 'access-control' headers that permit my domain?
You can specify what clients can access your web service to an extend. Assuming you're using Express: How to allow CORS?