My firefox is issuing an OPTIONS preflight request to my private backend to make a subsequent GET request with credentials.
The preflight request includes the headers
Origin http://localhost:9670
Access-Control-Request-Headers authorization
Access-Control-Request-Method GET
My server responds with
Access-Control-Allow-Credentials true
Access-Control-Allow-Origin http://localhost:9670
Vary: Origin
According to the docs I found that should be fine.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Anyway, my firefox still states
CORS Missing Allow Header
in the Transferred section of the Network tab in the Developer Console.
What is my server response missing?
CodePudding user response:
In addition to
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:9670
Vary: Origin
the response to the preflight request must also contain
Access-Control-Allow-Methods: GET
Access-Control-Allow-Headers: Authorization
Otherwise, the access control check will fail and your browser won't send the actual (preflighted) request. See
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
Are you implementing CORS from scratch in the backend? If so, why not use a (good) CORS library, which you could configure to take care of all this for you?