ajax get request to Office365 REST Api fails CORS?

Question

I'm attempting to make an ajax GET request to the Office365 RESTful API service from my local server, but am running into cross-domain HTTPRequest errors. The following is a sample of my 'get-files-at-root' attempt:

$.ajax({
  url: 'https://[sharepoint_site]/_api/v1.0/me/files?access_token='+token,
  type: 'get',
  dataType: 'json',
  success: function(data) {
    if (success){
      success(data);
    }
  },
  error: error
})

I'm getting the following response from the server:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 403.

I've tried sending the access token as a header parameter:

headers: {'Authorization': 'Bearer '+ token}

but this had the same result.

Any ideas on what I'm doing wrong?

(Background: I'm trying to create my own Office365 'file picker' on the client because I couldn't find an available library for OneDrive Business that supplies this.)

Answer 1

Office 365 Files API and SharePoint REST have just introduced support for CORS.

https://msdn.microsoft.com/en-us/office/office365/howto/create-web-apps-using-CORS-to-access-files-in-Office-365

What you were trying to do is exactly how it works. The service will respond to the OPTIONS pre-flight request with an Access-Control-Allow-Origin header.

The authorization in the request must be an Azure Active Directory issued OAuth2 implicit grant access token.

Answer 2

Can you try with setting the Access-Control-Allow-Origin in header as shown below.

headers: { 'Access-Control-Allow-Origin': '*' }

Answer 3

    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setCharacterEncoding("UTF-8");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET");
    response.setHeader("Access-Control-Allow-Headers", "x-requested-with");

Answer 4

You have no idea about CORS. Read the specification: http://www.w3.org/TR/cors/

In your case you have to allow null origin, since we are talking about localhost. You have to allow the methods and the headers you send, even the content-type header. You have to allow sending credentials, which you can get in the Authorization header. You have to handle OPTIONS requests with 200 ok.