I am using react for the front end and Ruby on Rails for the back end. I am using version 2.6.1 for ruby on rails.
When I started my application I am getting an error saying...
"Access to fetch at 'http://localhost:3000/profile' from origin 'http://localhost:3001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."
I received the following
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <my-ip-address> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
after calling the rest server from my angular app, the code was working perfect when I was using local rest server
I'm using a C9 AWS instance to run an API REST written in ruby on rails, and i'm consuming the resources from an Ionic App with simple http calls.
When i make a http request from the ionic app, the server response with this message:
Failed to load https://the_server.vfs.cloud9.us-east-2.amazonaws.com/resource: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access. The response had HTTP status code 404.
How can I enable the CORS in the Cloud 9 instance ?
I have already enable the CORS in rails with the rack-cors gem
The call to https://the_server.vfs.cloud9.us-east-2.amazonaws.com/resource is being handled by a proxy. To allow CORS, you need to call the server directly. You can do that
by connecting to the server IP address, and opening the correct ports. It's described here: https://docs.aws.amazon.com/cloud9/latest/user-guide/app-preview.html?icmpid=docs_ac9_ide#app-preview-share
I'm buliding an app using spring-security-oauth2. In general, everything is working fine and I have three independent clients using a simple API I have created. All client apps are calling the API from different domains. All the apps can register members using the client-credentials grant, and then get password grant access tokens and refresh tokens.
However, for all three clients, when a request is sent using an expired access token, the response from the resource server does not include an Access-Control-Allow-Origin header. This is a problem for the hal-browser and angular app as they rely on responses having an Access-Control-Allow-Origin header.
What is the spring way of including the Access-Control-Allow-Origin header on the expired token response?
I have a Filter adding the following headers on a zuul gateway, but the filter never gets fired in the case of a request with an expired access token.
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE, HEAD");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers",
"X-Requested-With, WWW-Authenticate, Authorization, Origin, Content-Type, Version");
response.setHeader("Access-Control-Expose-Headers",
"X-Requested-With, WWW-Authenticate, Authorization, Origin, Content-Type");
After diving into the spring code, it turned out this issue was caused by the order of filter execution. The OAuth filter was called first and threw an InvalidAccessToken exception, preventing my CORS filter from ever running and adding the necessary Acccess-Control-Allow-Origin header.
Adding the annotation
#Order(Ordered.HIGHEST_PRECEDENCE)
to my CORS filter did the trick.
I have a flask backend set up that runs through Google's OAuth2 flow. When the user visits /signup, there's a button there they can press to start it up. I know that the flow works because if I set up it to start as soon as someone visits /signup (by doing a 302 redirect to the /start-google-oauth endpoint), then everything goes smoothly.
But if I remove the redirect and have the user start the flow themselves by pressing the button, it doesn't work. The button just issues a GET request to /start-google-oauth but then the redirect to google to open their popup window returns an Access-Control-Allow-Origin error:
XMLHttpRequest cannot load https://accounts.google.com/o/oauth2/auth?redirect_uri=... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '<origin url>' is therefore not allowed access.
The origin specified as the origin url is however given as a valid redirect_uri in the app's credential setup.
What could be causing this?
Since you are forwarding a GET request try setting Access-Control-Allow-Origin: * before forwarding.