breautek commented on issue #1549: URL: https://github.com/apache/cordova-android/issues/1549#issuecomment-1400965975
Have a read of my [blog](https://breautek.com/articles/enabling-cors.html), particularly on preflight requests. In short, having `Access-Control-Allow-Origin` is only part of the CORS compatibility. In some cases, the browser may perform a "preflight request". This is done behind the scenes but effectively before it does the `GET` request, it may send an `OPTIONS` request to the server, this is called a preflight request. The server should respond to the preflight request by giving no content body e.g. `Content-Length` should be 0, and the HTTP status should be `204` (OK, No Content). The response should also have the `Access-Control` headers also defined. I tested the url in your example and I see it giving `Access-Control-Allow-Origin` on the `GET` request but it doesn't have the `OPTIONS` request implemented. I also see that you're using an NGINX server, so you can easily get `OPTIONS` for all your API endpoints by doing something like ``` if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' $http_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS, HEAD' always; add_header 'Access-Control-Allow-Headers' 'Accept, Content-Type, Access-Control-Allow-Origin' always; add_header 'Content-Type' 'text/plain charset=UTF-8' always; add_header 'Content-Length' 0 always; return 204; } ``` In your `location` block. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
