CODEWITHSUNDEEP
node.jssafaricors
Gatmando
Gatmando

Reputation: 2269

Safari issue with CORS: Origin is not allowed by Access-Control-Allow-Origin

We have a Node.js based application on one of our servers (lets call it 'my.apiserver.com'). Our client has web site in a different domain (my.client.com). When a user goes to our client's website there are a series of html pages received from, and ajax-based requests sent to, our server. This seems to work fine across all devices and browsers with the exception of the latest Safari version (8). For the majority (but oddly not all) of the Safari-8 users they receive error messages along these lines:

XMLHttpRequest cannot load http://my.apiserver.com/views/view1.html. Origin http://my.client.com is not allowed by Access-Control-Allow-Origin

and

XMLHttpRequest cannot load http://my.apiserver.com/ajax_endpoint1?id=12345. Origin http://my.client.com is not allowed by Access-Control-Allow-Origin

Inside of our app.js file the node application has it's cross-domain security setup like so:

/***************************************************************************/
/* configure CORS
/***************************************************************************/
app.use(function(req, res, next) {
  res.set('Access-Control-Allow-Origin', 'http://my.client.com');
  res.set('Access-Control-Allow-Credentials', true);
  res.set('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.set('Access-Control-Allow-Headers', 'Origin, Product-Session, X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept, Referer, User-Agent');

  // intercept OPTIONS method
  if ('OPTIONS' == req.method) {
    res.send(200);
  }
  else {
    next();
  }
});

Any insights as to why our cors setup is failing for the latest Safari would be appreciated.

Thanks

Upvotes: 10

Views: 28659

Answers (2)

Umesh Patadiya
Umesh Patadiya

Reputation: 740

You can empty or disable the cache in the browser, and then check Disable Cross-Origin Restrictions in the Develop menu in Safari (this is for development purpose only).

It worked for me.

Upvotes: 13

Gatmando
Gatmando

Reputation: 2269

In the end this wasn't a cors issue, it was a cookies issue. Specifically it was a 3rd party cookies issue because later versions of Safari don't allow 3rd party cookies by default. Since we are the third party no cookie data was stored or passed to passed back to our server and the problem for some reason manifested itself as a cors error. Once 3rd party cookies were enabled the api calls worked as expected. Of course now we need to solve for the cookies issue.

Upvotes: 14

Related Questions