CORS headers are cut in browser for status codes >= 400

Question

I'm doing some changes in web AngularJS app (1.3 version). For ajax calls I use $http. All requests are cross-origin, so I use CORS headers in all responses from server.

My problem is that during unexplainable reasons all CORS headers are cut when I monitor them in Chrome (the same for Firefox) but I see them in Fiddler response. It happens for requests with status code >= 400. So all requests with status code 200 has CORS headers in a response.

In Fiddler I see:

Access-Control-Allow-Headers: Origin, Content-Type, Accept, Cache-Control
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Connection: keep-alive

But in browser I see:

Connection: close

It's a cause that $http always returns 0 as a status code. For 1.4.0 Angular $http was rewritten and this works properly even without CORS headers, but I can't update angular library now.

Does anybody face the same problem?

Answer 1

I ran into the same problem. Make save that the "Cache-Control" header is only set to "no-cache". If "no-store" is set, you will maybe not the response of requests >= 400 in the console of Chrome.

Answer 2

I've found a couple of gotcha's when trying to receive a 400 status code over a CORS enabled connection.

An AJAX POST request from A to B will result in two requests to B. First a preflight request using OPTIONS method. And if the preflight is successful then the POST request will be made.

When A sends OPTIONS request to B. B must answer with all the CORS headers and a status code 200. (200 is important!).

When A send POST request to B. B must again answer with all the CORS headers, this time the status code is non-important to CORS and you can use any fitting status code you need.

Firefox console is great at telling you what specificly failed in your CORS request, make sure you got all the different filters off.