craftcms/element-api

CORS problem on v2.8.2, but not 2.7.0

patrikalienus opened this issue · 1 comments

Description

We're using an endpoint to grab the TOS from a Craft post and displaying it inside a JS app. The endpoint we do this through looks like this:

'endpoints' => [
	'cms-api/<country:>/tos' => function ($country) {
		Craft::$app->getResponse()->getHeaders()
			->set('Access-Control-Allow-Origin', '*')
			->set('Access-Control-Allow-Headers', '*,authorization');

		return [
			'elementType' => Entry::class,
			'criteria' => [
				'section' => 'termsOfService',
				'site' => getSite($country)
			],
			'transformer' => function (Entry $entry) {
				return [
					'id' => $entry->id,
					'text' => $entry->text,
					'content' => $entry->redactorSimple
				];
			},
		];
	}
];

This works perfectly fine in Element API 2.7.0, but not 2.8.2 (latest at the time of writing).

Requesting the endpoint directly from within the browser works fine and the Access-Control headers both look correct. It's only when requesting the endpoint from a JS app the the problem occurs. The JS app sends HTTP_ORIGIN which the browser does not AFAIK.

Steps to reproduce

  1. Request an endpoint through a JS app and this error pops up in the console:

Access to XMLHttpRequest at '[ENDPOINT]' from origin '[JS APP URL]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Additional info

  • Craft CMS version: 3.6.18
  • Element API version: 2.8.2
  • PHP version: 7.4
  • Database driver & version: MySQL
  • Plugins & versions:
"jalendport/craft-queuemanager": "^1.2",  
"nystudio107/craft-cookies": "^1.1",  
"nystudio107/craft-minify": "^1.2.10",  
"nystudio107/craft-retour": "3.1.61",  
"nystudio107/craft-seomatic": "3.4.10",  
"presseddigital/colorit": "1.1.2.1",  
"putyourlightson/craft-blitz": "3.10.3",  
"spacecatninja/imager-x": "v3.5.2",  
"spicyweb/craft-neo": "2.11.9",

Thanks for pointing that out! Just released 2.8.3 with a fix.