CORS Problem with option request

<< Click to Display Table of Contents >>

Navigation:  Forum >

CORS Problem with option request

Forum link

 

 

08-19-2021, 10:46 AM:

 

Hallo,

 

I have a content handler that delivers some geoJSON for an openlayers map. We use custom HTTP headers for authentication.

 

All works well if called from inside my application. But if I call it from a second website, I get a "Missing CORS Header" Error.

 

I have enabled CORS support according to this advice: https://www.atozed.com/2019/04/cors-supp...available/

 

My understanding is: The call generates an OPTIONS request, and this OPTIONS-Request is not answered correctly.

 

I tried to add Allow-Origin-headers manually, but none of the events I tried were triggered by the OPTIONS-Request.

 

I tested ServerController.OnAfterDispach, .OnBeforeDispach, .OnNewSession as well as the ContentHandler.Execute.

 

The ContentHandlers RequiresSessionStart property does not change anything.

 

This is Browser protocol:

 

Code:

 

XHR OPTIONS http://localhost:50085/map?appkey=9e9s3wAqqX1A&unit=location&shape=point&date=17.10.2020&type=1

 

Error: CORS Missing Allow Origin

 

OPTIONS:    http://localhost:50085/map?appkey=9e9s3wAqqX1A&unit=location&shape=point&date=17.10.2020&type=1

 

Status:    204 - No Content

 

VersionHTTP/1.1

 

Referrer Policy:    strict-origin-when-cross-origin

 

RESPONE HEADERS:   

 

    Cache-Control:    no-cache, must-revalidate

 

    Connection:      keep-alive

 

    Content-Length:    0

 

    Content-Type:    text/html; charset=UTF-8

 

    Date:          Thu, 19 Aug 2021 10:18:38 GMT

 

    P3P:            CP="NO P3P"

 

    Pragma:        no-cache

 

    X-IW-Cors-Origin:  not found

 

REQUEST HEADERS:   

 

    Accept:        */*

 

    Accept-Encoding:    gzip, deflate

 

    Accept-Language:    fr,de;q=0.8,it;q=0.6,en-US;q=0.4,en;q=0.2

 

    Access-Control-Request-Headers:    x-appkey,x-hash,x-unixtime

 

    Access-Control-Request-Method:      GET

 

    Cache-Control:    no-cache

 

    Connection:    keep-alive

 

    DNT:            1

 

    Host:          localhost:50085

 

    Origin:        null

 

    Pragma:        no-cache

 

    Sec-Fetch-Dest:    empty

 

    Sec-Fetch-Mode:    cors

 

    Sec-Fetch-Site:    cross-site

 

    User-Agent:    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0

 

 

 

What am I missing?

 

Best Regards,

 

Ronald Krause

 

 

08-19-2021, 12:36 PM:

 

Hi Ronald, I have been getting good results in situations like yours, using .OnAfterDispach

 

Code:

 

procedure TIWServerController.IWServerControllerBaseAfterDispatch(

 

  Request: THttpRequest; aReply: THttpReply);

 

begin

 

   aReply.AddHeader('Content-Security-Policy',

 

      'default-src '       + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + ' ' + QuotedStr('unsafe-eval') + '; ' +

 

      'script-src '        + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + ' ' + QuotedStr('unsafe-eval') + '; ' +

 

      'style-src '         + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + '; ' +

 

      'img-src '           + QuotedStr('self') + ' https: data:; ' +

 

      'object-src '        + QuotedStr('self') + '; ' +

 

      'media-src '         + QuotedStr('self') + ' https:; ' +

 

      'frame-ancestors '   + QuotedStr('self') + ' https:; ' +

 

      'base-uri '          + QuotedStr('self') + ' https:');

 

   aReply.AddHeader('Access-Control-Allow-Origin', '*');

 

end;