CORS problem on v2.8.2, but not 2.7.0
patrikalienus opened this issue · 1 comments
Description
We're using an endpoint to grab the TOS from a Craft post and displaying it inside a JS app. The endpoint we do this through looks like this:
'endpoints' => [
'cms-api/<country:>/tos' => function ($country) {
Craft::$app->getResponse()->getHeaders()
->set('Access-Control-Allow-Origin', '*')
->set('Access-Control-Allow-Headers', '*,authorization');
return [
'elementType' => Entry::class,
'criteria' => [
'section' => 'termsOfService',
'site' => getSite($country)
],
'transformer' => function (Entry $entry) {
return [
'id' => $entry->id,
'text' => $entry->text,
'content' => $entry->redactorSimple
];
},
];
}
];
This works perfectly fine in Element API 2.7.0, but not 2.8.2 (latest at the time of writing).
Requesting the endpoint directly from within the browser works fine and the Access-Control headers both look correct. It's only when requesting the endpoint from a JS app the the problem occurs. The JS app sends HTTP_ORIGIN which the browser does not AFAIK.
Steps to reproduce
- Request an endpoint through a JS app and this error pops up in the console:
Access to XMLHttpRequest at '[ENDPOINT]' from origin '[JS APP URL]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Additional info
- Craft CMS version: 3.6.18
- Element API version: 2.8.2
- PHP version: 7.4
- Database driver & version: MySQL
- Plugins & versions:
"jalendport/craft-queuemanager": "^1.2",
"nystudio107/craft-cookies": "^1.1",
"nystudio107/craft-minify": "^1.2.10",
"nystudio107/craft-retour": "3.1.61",
"nystudio107/craft-seomatic": "3.4.10",
"presseddigital/colorit": "1.1.2.1",
"putyourlightson/craft-blitz": "3.10.3",
"spacecatninja/imager-x": "v3.5.2",
"spicyweb/craft-neo": "2.11.9",
Thanks for pointing that out! Just released 2.8.3 with a fix.