Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CORS Problem with option request
#1
Hallo,

I have a content handler that delivers some geoJSON for an openlayers map. We use custom HTTP headers for authentication.
All works well if called from inside my application. But if I call it from a second website, I get a "Missing CORS Header" Error.

I have enabled CORS support according to this advice: https://www.atozed.com/2019/04/cors-supp...available/

My understanding is: The call generates an OPTIONS request, and this OPTIONS-Request is not answered correctly.
I tried to add Allow-Origin-headers manually, but none of the events I tried were triggered by the OPTIONS-Request.
I tested ServerController.OnAfterDispach, .OnBeforeDispach, .OnNewSession as well as the ContentHandler.Execute.
The ContentHandlers RequiresSessionStart property does not change anything.

This is Browser protocol:
Code:
XHR OPTIONS http://localhost:50085/map?appkey=9e9s3wAqqX1A&unit=location&shape=point&date=17.10.2020&type=1
Error: CORS Missing Allow Origin

OPTIONS:    http://localhost:50085/map?appkey=9e9s3wAqqX1A&unit=location&shape=point&date=17.10.2020&type=1
Status:    204 - No Content
VersionHTTP/1.1
Referrer Policy:    strict-origin-when-cross-origin

RESPONE HEADERS:   
    Cache-Control:    no-cache, must-revalidate
    Connection:      keep-alive
    Content-Length:    0
    Content-Type:    text/html; charset=UTF-8
    Date:          Thu, 19 Aug 2021 10:18:38 GMT
    P3P:            CP="NO P3P"
    Pragma:        no-cache
    X-IW-Cors-Origin:  not found

REQUEST HEADERS:   
    Accept:        */*
    Accept-Encoding:    gzip, deflate
    Accept-Language:    fr,de;q=0.8,it;q=0.6,en-US;q=0.4,en;q=0.2
    Access-Control-Request-Headers:    x-appkey,x-hash,x-unixtime
    Access-Control-Request-Method:      GET
    Cache-Control:    no-cache
    Connection:    keep-alive
    DNT:            1
    Host:          localhost:50085
    Origin:        null
    Pragma:        no-cache
    Sec-Fetch-Dest:    empty
    Sec-Fetch-Mode:    cors
    Sec-Fetch-Site:    cross-site
    User-Agent:    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0



What am I missing?

Best Regards,
Ronald Krause
Reply
#2
Hi Ronald, I have been getting good results in situations like yours, using .OnAfterDispach
Code:
procedure TIWServerController.IWServerControllerBaseAfterDispatch(
  Request: THttpRequest; aReply: THttpReply);
begin
   aReply.AddHeader('Content-Security-Policy',
      'default-src '       + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + ' ' + QuotedStr('unsafe-eval') + '; ' +
      'script-src '        + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + ' ' + QuotedStr('unsafe-eval') + '; ' +
      'style-src '         + QuotedStr('self') + ' https: ' + QuotedStr('unsafe-inline') + '; ' +
      'img-src '           + QuotedStr('self') + ' https: data:; ' +
      'object-src '        + QuotedStr('self') + '; ' +
      'media-src '         + QuotedStr('self') + ' https:; ' +
      'frame-ancestors '   + QuotedStr('self') + ' https:; ' +
      'base-uri '          + QuotedStr('self') + ' https:');

   aReply.AddHeader('Access-Control-Allow-Origin', '*');
end;
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)