+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: CORS Problem with option request (/thread-2493.html)
CORS Problem with option request - Ronald Krause - 08-19-2021
Hallo,
I have a content handler that delivers some geoJSON for an openlayers map. We use custom HTTP headers for authentication.
All works well if called from inside my application. But if I call it from a second website, I get a "Missing CORS Header" Error.
I have enabled CORS support according to this advice: https://www.atozed.com/2019/04/cors-support-now-available/
My understanding is: The call generates an OPTIONS request, and this OPTIONS-Request is not answered correctly.
I tried to add Allow-Origin-headers manually, but none of the events I tried were triggered by the OPTIONS-Request.
I tested ServerController.OnAfterDispach, .OnBeforeDispach, .OnNewSession as well as the ContentHandler.Execute.
The ContentHandlers RequiresSessionStart property does not change anything.
This is Browser protocol:
Code:
XHR OPTIONS http://localhost:50085/map?appkey=9e9s3wAqqX1A&unit=location&shape=point&date=17.10.2020&type=1
Error: CORS Missing Allow Origin
OPTIONS: http://localhost:50085/map?appkey=9e9s3wAqqX1A&unit=location&shape=point&date=17.10.2020&type=1
Status: 204 - No Content
VersionHTTP/1.1
Referrer Policy: strict-origin-when-cross-origin
RESPONE HEADERS:
Cache-Control: no-cache, must-revalidate
Connection: keep-alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Thu, 19 Aug 2021 10:18:38 GMT
P3P: CP="NO P3P"
Pragma: no-cache
X-IW-Cors-Origin: not found
REQUEST HEADERS:
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: fr,de;q=0.8,it;q=0.6,en-US;q=0.4,en;q=0.2
Access-Control-Request-Headers: x-appkey,x-hash,x-unixtime
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
DNT: 1
Host: localhost:50085
Origin: null
Pragma: no-cache
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0What am I missing?
Best Regards,
Ronald Krause
RE: CORS Problem with option request - Jose Nilton Pace - 08-19-2021
Hi Ronald, I have been getting good results in situations like yours, using .OnAfterDispach
Code:
procedure TIWServerController.IWServerControllerBaseAfterDispatch(
Request: THttpRequest; aReply: THttpReply);
begin
aReply.AddHeader('Content-Security-Policy',
'default-src ' + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + ' ' + QuotedStr('unsafe-eval') + '; ' +
'script-src ' + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + ' ' + QuotedStr('unsafe-eval') + '; ' +
'style-src ' + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + '; ' +
'img-src ' + QuotedStr('self') + ' https: data:; ' +
'object-src ' + QuotedStr('self') + '; ' +
'media-src ' + QuotedStr('self') + ' https:; ' +
'frame-ancestors ' + QuotedStr('self') + ' https:; ' +
'base-uri ' + QuotedStr('self') + ' https:');
aReply.AddHeader('Access-Control-Allow-Origin', '*');
end;