breautek commented on issue #1241: URL: https://github.com/apache/cordova-ios/issues/1241#issuecomment-1189060506
The `Access-Control-Allow-Origin` should have a wildcard value of `*`, or a specific origin set (e.g. `https://localhost`) I'll post a NGINX config that I use, and then I'll explain the bits so that you can add it to your own technology stack, whatever what that might be. I think most of this you have right based on your comment above, but I think you might be missing handling `OPTIONS` request, which I'll explain at the end. ``` add_header 'Access-Control-Allow-Origin' $http_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS, HEAD' always; add_header 'Access-Control-Allow-Headers' 'Accept, X-TP-META, X-BT-AUTH, Content-Type, X-Requested-With, JSNLog-RequestId, Access-Control-Allow-Origin, X-TP-SOURCE-TARGET, X-TP-SOURCE-VERSION' always; if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' $http_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS, HEAD' always; add_header 'Access-Control-Allow-Headers' 'Accept, X-TP-META, X-BT-AUTH, Content-Type, X-Requested-With, JSNLog-RequestId, Access-Control-Allow-Origin, X-TP-SOURCE-TARGET, X-TP-SOURCE-VERSION' always; add_header 'Access-Control-Max-Age' 1728000 always; add_header 'Content-Type' 'text/plain charset=UTF-8' always; add_header 'Content-Length' 0 always; return 204; } ``` > add_header 'Access-Control-Allow-Origin' $http_origin always; This is setting the `Access-Control-Allow-Origin` response header to the same value as the request's `Origin` header. All CORs enabled browsers will send a `Origin` header in their request. This should be effectively the same as setting the `Access-Control-Allow-Origin` to `*` wildcard. The reason why I do it this way is because earlier versions (pre iOS 11 if I recall correctly) didn't work properly with `*`. > add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS, HEAD' always; At the very minimum, you need `OPTIONS` inside `Access-Control-Allow-Methods`, but you'll probably want `GET`, and `POST`, and maybe a few others. It depends on what you use for server side rest APIs. `OPTIONS` are required because some APIs may implicitly send an `OPTIONS` request to the server before sending the actual request. You won't see this in the JS console, but you will see these requests on the server side. What you have should be sufficient if all you use for HTTP methods are `GET`, `POST`, and `DELETE`. > add_header 'Access-Control-Allow-Headers' 'Accept, X-TP-META, X-BT-AUTH, Content-Type, X-Requested-With, JSNLog-RequestId, X-TP-SOURCE-TARGET, X-TP-SOURCE-VERSION' always; `Access-Control-Allow-Headers` controls which headers are acceptable. I have a lot of things that are specific to my own projects, but the minimum you'll probably need `Accept`, `Content-Type`. If you use custom headers, you'll need to include them as well. ``` if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' $http_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS, HEAD' always; add_header 'Access-Control-Allow-Headers' 'Accept, X-TP-META, X-BT-AUTH, Content-Type, X-Requested-With, JSNLog-RequestId, Access-Control-Allow-Origin, X-TP-SOURCE-TARGET, X-TP-SOURCE-VERSION' always; add_header 'Access-Control-Max-Age' 1728000 always; add_header 'Content-Type' 'text/plain charset=UTF-8' always; add_header 'Content-Length' 0 always; return 204; } ``` This is the part that might be missing in your configuration. CORS have what's called a preflight request, which is a request that gets implicitly sent as a `OPTIONS` first, before the real request goes out. You won't see the `OPTIONS` request in the netwrok tab of the web inspector, but you'll see the request on the server side. The `OPTIONS` request must respond with the appropriate CORS headers like any other request, and must have no content body. The above NGINX configuration makes it so that if the incoming request is a `OPTIONS` request, it does just that. Sets the headers, including the `Content-Length` 0, and returns an http status 204. Preflights aren't always used, they are used in certain circumstances. [MDN Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests) have more information on preflighted requests including when they are actually used. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
