CORS request failure with jQuery using withCredentials and client certificates
- GET requests are not preflighted. See Here
- When responding to a credentialed request, server must specify a domain, and cannot use wild carding. (must not be Access-Control-Allow-Origin: *). See Here
mikew
Updated on July 09, 2022Comments
-
mikew almost 2 years
I can't figure out why this CORS request is failing to return data.
I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:
- otherdomain.com requires a client certificate.
- hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.
I have a simple page that tests the request:
<script type='text/javascript'> function get_data() { console.log("running"); $.ajax({ url: "https://otherdomain.com/resource/1", dataType: 'json', type: 'GET', xhrFields: { 'withCredentials': true }, crossDomain: true }).success(function(data) { console.log(data) $('#output').html(data); }).error(function(xhr, status, error) { alert("error"); console.log(xhr); }); } $(document).ready(function() { get_data(); }); </script> </script>
Here are my request headers:
GET /resource/1 HTTP/1.1 Host: otherdomain.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://mydomain.com/test.html Origin: https://mydomain.com Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.
HTTP/1.1 200 OK Date: Mon, 28 Oct 2013 19:31:08 GMT Server: HTTP::Server::PSGI Vary: Content-Type Content-Length: 653 Content-Type: application/json Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Origin: * Access-Control-Max-Age: 1800 X-Catalyst: 5.90030 Via: 1.1 otherdomain.com
And the error is thrown from the ajax call:
readyState: 0 responseText: "" status: 0 statusText: "error"
firebug shows the response body as empty from the request event though it's a 200 OK.
I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.
Also, i can see no
Access-Control-Request-Header
being added by my request, so I'm not returning anyAccess-Control-Allow-Headers
from the server.Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.
Thanks for any help!
-
mikew over 10 yearsgah. I had
Access-Control-Allow-Origin: <origin>
set on one iteration of my program, but not with theAllow-Control-Allow-Credentials: true
. I moved it back to use*
for Origin when I added Allow-Credentials. I wasn't aware of that requirement. Thanks much for the pointer! Working now. -
monsur over 10 yearsNote that it is not true that GET requests are never preflighted. GET requests can be preflighted if the request contains custom headers.
-
Radderz about 3 yearsI think
Allow-Control-Allow-Credentials
should beAccess-Control-Allow-Credentials
(this has solved a CORS error for me when trying to supply credentials)