Access-Control-Allow-Origin header is not present

Question

Access-Control-Allow-Origin header is not present

lobo-tuerto opened this issue 7 years ago · 5 comments

Hello,

I've been using CorsPlug, but I'm missing a feature that Corsica already has: mschae/cors_plug#50

So this is my mix.exs:

defp deps do
    [
      # ...
      # CORS configuration
      {:cors_plug, "~> 1.5"},
      {:corsica, "~> 1.0"}
    ]
  end

This is my endpoint.ex:

  # ...
  #plug CORSPlug, origin: "http://localhost:8080"
  plug Corsica, origins: "http://localhost:8080"

  plug SomeApiWeb.Router
  # ...

Here are my request/response headers in question using Corsica:

REQUEST:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:4000
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

RESPONSE:

HTTP/1.1 200 OK
cache-control: max-age=0, private, must-revalidate
content-length: 0
date: Mon, 16 Apr 2018 17:22:49 GMT
server: Cowboy

When uncommenting CORSPlug it works as intended, here are the results:

REQUEST:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:4000
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

RESPONSE:

HTTP/1.1 204 No Content
access-control-allow-credentials: true
access-control-allow-headers: Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-CSRF-Token
access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS
access-control-allow-origin: http://localhost:8080
access-control-expose-headers: 
access-control-max-age: 1728000
cache-control: max-age=0, private, must-revalidate
content-length: 0
date: Mon, 16 Apr 2018 17:26:07 GMT
server: Cowboy
vary: Origin

Do you know what's going on? If it serves for anything I'm using Axios as an HTTP client.

Answer 1 · 2018-04-16T17:33:18.000Z

Also, this is in a newly created API only Phoenix app.

Answer 2 · 2018-04-16T17:47:36.000Z

I even added :corsica to the extra_applications key in mix.exs:

  def application do
    [
      mod: {SomeApi.Application, []},
      extra_applications: [:corsica, :logger, :runtime_tools]
    ]
  end

Still, no luck...

Answer 3 · 2018-04-16T20:08:47.000Z

See the :allow_headers option. From the Corsica documentation:

:allow_headers - a list of headers (as binaries) or :all. This is the list of headers allowed in the access-control-request-headers header of preflight requests. If a header requested by the preflight request is in this list or is a simple header (Accept, Accept-Language, or Content-Language), then that header is always allowed.

Something like

plug Corsica, origins: "http://localhost:8080", allow_headers: ["content-type"]

should work.

Answer 4 · 2018-04-16T20:09:10.000Z

Also Corsica should log why it didn't accept the request. Doesn't it?

Answer 5 · 2018-04-16T23:54:18.000Z

Hey, it worked!
And no, logging on error is not enabled by default (I read about that at the documentation link you kindly mentioned). You have to opt-in for logging.

So (finally), my working configuration looks like this:

plug Corsica,
    origins: "http://localhost:8080",
    log: [rejected: :error, invalid: :warn, accepted: :debug],
    allow_headers: ["content-type"],
    allow_credentials: true

Thank you!