I'm developing a back-end RESTfull app with ExpressJS(Node). And reading with angularJS. I got this error on chrome.
**
XMLHttpRequest cannot load http://local.dev:3000/api. No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://local.dev:63359' is therefore not allowed
access.
**
Note : ExpressJS api working on Postman app. Postman app is successfully get data.
This is my code
ANGULARJS
$http.post("http://local.dev:3000/api",{
"username" :'JJ',
"email" : 'email#email.com'
}).then(function(mes){
console.log(mes);
});
EXPRESSJS
router.get('/', function(req, res) {
res.json({ message: 'hooray! welcome to our api!' });
});
Thanks in advance.
This is the CORS browser limitation. Your server will have to response with some headers to tell the browser cross domain access is allowed.
If you search around there are a few middleware as node package (eg. express-cors) available. But I found sometimes they does not work as what I want. So here is the one I used:
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header("Access-Control-Allow-Headers", "X-Requested-With,Content-Type,Cache-Control");
if (req.method === 'OPTIONS') {
res.statusCode = 204;
return res.end();
} else {
return next();
}
});
By the way, you will have to use this middleware for the server you are accessing ( http://local.dev:3000/api )
When trying to access a cross origin resource, the browser will try to make a Options request to read these special header and decide if the server allow the access. This is why, for Options request, you can response straight away without passing the flow using 'next()'.
You can also edit the list of methods allow by editing the Access-Control-Allow-Methods header.
Access-Control-Allow-Headers header is optional, you can use it to limit the headers that can be used.
Related
I have some CORS problem with NodeJS Express and ReactJS. Please help me.
Now, I have both frontend(http://locahost:3000) and backend(http://locahost:4000) using different PORT.
The frontend is using 3000 port with ReactJS and the Backend is using 4000 port with NodeJS Express.
Frontend API call source code
axios.get("/tube/latestted",
{
headers: {
"Content-Type": "application/json",
},
})
.then(response => {
console.log(response);
});
Backend CORS setting source code
app.all('/*', function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
next();
});
or
var cors = require('cors');
app.use(cors());
But it still has the same problem as the blow error message, even though I set up CORS setup.
Access to XMLHttpRequest at 'http://localhost:4000/tube/latestted' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Using Content-Type: application/json on your client-side request makes your cross origin request into a request that needs pre-flight and the client will send an OPTIONS request to your that route on your server essentially asking your server if it's permissible to make a cross origin call to that route. For that type of request to succeed in a browser, you need a handler for the OPTIONS verb that returns a 200 status like this:
app.options("/tube/latestted", (req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
res.sendStatus(200);
});
But, a simpler solution is likely to just remove the custom Content-Type header from your client request. The Content-Type header specifies the type of content you are SENDING with the request, not the type of content you are expecting back. Since you are sending no data with the GET request, you do not need that header and it is that header that is making your Ajax call go from a Simple Request to a Pre-Flighted Request which requires the OPTIONS preflight.
The only Content-Type header values that are allowed without preflight are:
application/x-www-form-urlencoded
multipart/form-data
text/plain
You will notice that application/json is not listed so using that content-type is forcing the browser to do pre-flight which your server is not handling.
So, the first thing to try is to change the client request to this:
axios.get("/tube/latestted")
.then(response => {
console.log(response);
}).catch(err => {
console.log(err);
});
If that doesn't work, then you should diagnose further by looking at the Chrome debugger Network tab in the browser and see exactly what is happening when the browser runs that Ajax call. Chances are you will see an OPTIONS request that comes back as a 404 or some other non-200 status. If that's the case, then you need to add a specific OPTIONS handler in your server that returns a 200 status for that route. You have middleware that will set the CORS headers, but you call next() in that route so since there is no other matching OPTIONS route handler, it will presumably fall through to a 404 handler and thus the browser thinks the OPTIONS request has failed.
I currently have access control allow origin set to *
When I try uploading a file without authorization cors blocks my request
I get these errors:
Access to XMLHttpRequest at 'https://serverurl.com' from origin 'https://fronendurl.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I'm using express and Node.js
This is my app.js file
app.use(cors());
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", '*');
res.header("Access-Control-Allow-Credentials", true);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header("Access-Control-Allow-Headers", 'Origin,X-Requested-With,Content-Type,Accept,content-type,application/json');
next();
});
I'm assuming both https://fronendurl.com and https://serverurl.com are sitting on the same machine.
If you're creating a call, say AJAX to a different domain than your page is on from the same origin <= This gets blocked by the browser as it usually allows a request in the same origin for security reasons.
For a quick medicine I would tryout moesif's chrome plugin or firefox plugin.
We have the following setup :
Front end code : REACT (Hosted using express js) (lets call this www.domainA.com)
Backend : .NET WEB API (Hosted in IIS 7.5) (lets call this www.domainB.com)
The domain of the FE app is making the request to GET data and POST data to the web api.
The GET is working perfectly, however whenever I am trying to POST data to the web API, its throwing the following error :
Request URL: http://www.domainB.com/api/postdataoperation
Request Method: OPTIONS
Status Code: 403 Forbidden
I have looked at many CORS articles and went ahead and setup HTTPResponseHeaders in IIS as follows :
Access-Control-Allow-Methods : POST,GET,OPTIONS,PUT,DELETE
Access-Control-Allow-Origin : http://www.domainA.com
The post request from react solution is as follows :
axios.post(`http://www.domainB.com/api/postdataoperation`, {userId});
The issue is that your server is not configured to respond to OPTIONS requests with the correct response status, 2xx success status.
The GET is working because it is not making a preflight request, as it meets the criteria to be a simple request as defined by the CORS documentation
On the other hand, the POST request meets the criteria to be a Preflighted request, meaning a preflight OPTIONS request should be made first.
In short, you have correctly setup the CORS response headers, but the server is not configured to respond with a 2xx response for OPTIONS method requests(commonly 200 status).
The server must respond to OPTIONS requests with a 2xx success status—typically 200 or 204.
If the server doesn’t do that, it makes no difference what Access-Control-* headers you have it configured to send. And the answer to configuring the server to handle OPTIONS requests in the right way—to send a 200 or 204 success message—depends on what server software it’s running
Borrowing the solution from this answer, do this on your backend, .NET WEB API:
In your BaseApiController.cs:
We do this to allow the OPTIONS http verb
public class BaseApiController : ApiController
{
public HttpResponseMessage Options()
{
return new HttpResponseMessage { StatusCode = HttpStatusCode.OK };
}
}
References
Preflighted requests
response for preflight 403 forbidden
Note
Running a nodejs server on domainA.com is irrelevent. The "axios" library can be used either to a) make XMLHttpRequests from the browser or b) make http requests from node.js. In this case it is the first option, the "axios.post" to domainB is done through a XMLHttpRequest from the browser, that `s why you get a preflighted request at domainB.com.
The answer from Jannes Botis explains well the Preflighted mechanism. I'm just adding the code I'm using to solve this issue on Node.js / Express
const express = require('express');
const app = express();
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', 'http://www.domainA.com');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
res.setHeader(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept, Authorization'
);
next();
});
// All OPTIONS requests return a simple status: 'OK'
app.options('*', (req, res) => {
res.json({
status: 'OK'
});
});
app.get('/', ...);
app.post('/api/postdataoperation', ...);
I am trying to get authorize from Fitbit. when I use Oauth2.0
frontend angular4
getAuthFromFitbit() {
this.http.get(this.BASE_URL + "/fitbit").subscribe(res => {
console.log(res.json());
});}
backend node.js
then I got this problem:
The error you see in the browser console is coming from a fitbit request, not from your server. Setting headers on your server will not help much in your case.
This is a Cross Origin Resource Sharing issue. You need to disable CORS in your browser.
i use this when front and back is not in same server.
app.use(function (req, res, next) {
res.header('Access-Control-Allow-Origin', "*");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
next();
})
Could you try this.
I have a stand-alone ExpressJS API that I have built that should be able to service mobile apps and web apps. I'm trying to test the API using a simple AngularJS client app that I have built. The API service runs fine when I host it locally.
I'm getting Cross Domain Request errors when trying to make a GET call to the API hosted on my external server. I'm using Chrome v39
EDIT: my error turns out to be an incorrect URL reference to my heroku API. Please see my answer, below.
XMLHttpRequest cannot load http://myservice.heroku.com/some-api-endpoint?request-parameter=value. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin http://localhost:5001 is therefore not allowed access.
After reading and scanning numerous articles, I've tried the following:
CORS Code on the API
Added to app.js
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
res.header("Access-Control-Allow-Headers", "Cache-Control, Pragma, Origin, X-Requested-With, Content-Type, Accept");
res.header("Access-Control-Max-Age", "1728000");
res.header("Access-Control-Expose-Headers", "Cache-Control, Pragma, Origin, X-Requested-With, Content-Type, Accept");
if (req.method === 'OPTIONS') {
res.statusCode = 204;
return res.end();
} else {
return next();
}
});
CORS Code on the API (Attempt 2)
Using the CORS node_module instead of the above, yields the same errors
Added to Package.json
"cors" : "~2.5.2"
Added to app.js
var cors = require('cors');
app.use(cors());
Client Code (Attempt 1)
$http({
url: 'http://myservice.heroku.com/some-api-endpoint?request-parameter=value',
method: 'GET',
headers : {
"Origin" : "myclient.heroku.com",
"Access-Control-Expose-Headers": "X-Requested-With",
"Access-Control-Request-Method" : "GET",
"Access-Control-Request-Headers" : "Origin, X-Requested-With, Content-Type, Accept"
}
})
Errors in the chrome dev console:
Refused to set unsafe header "Origin" angular.js:9625
Refused to set unsafe header "Access-Control-Request-Method" angular.js:9625
Refused to set unsafe header "Access-Control-Request-Headers" angular.js:9625
XMLHttpRequest cannot load http://myservice.heroku.com/some-api-endpoint?request-parameter=value, which is disallowed for cross-origin requests that require preflight. (index):1
Client Code (Attempt 2)
thePath = 'http://myservice.heroku.com/some-api-endpoint?request-parameter=value'
+'&callback=JSON_CALLBACK';
$http.jsonp(thePath)
.success(function(data){
console.log(data);
});
Errors received in the Chrome Dev Console:
Uncaught SyntaxError: Unexpected token : endpoint?request-parameter=value&callback=angular.callbacks_0:1
This has been stumping me for two days. Any help is appreciated!
The error turned out to be the reference to applications hosted on Heroku. I was attempting to make my get requests to myapp.heroku.com and not myapp.herokuapp.com. This is a subtle difference that caused there error.
Using cURL or typing in the request into the browser's address bar for myapp.heroku.com will redirect your request to myapp.herokuapp.com and complete the request successfully. However, made from Angular.js $http() function resulted in the Cross Domain error.
The simplest problems seem to cause the most confusion.
You are taking a convoluted route for CORS. Use nodejs CORS middleware to do your stuff....
add,
"cors": "^2.5.1",
to your dependencies in package.json & in app module,
var cors = require('cors');
//add cors to do the cross site requests
app.use(cors());