CODEWITHSUNDEEP
node.jsnginxcors
Tomas
Tomas

Reputation: 3204

CORS issue with 3 domains - what are the correct settings for CORS in this case?

Ok, I've looked at a ton of questions on here and all around and can't seem to get this issue taken care of so if this is somehow a duplicate and I've missed something please point me in the right direction.

I've got a Node/Sails API server running at api.example.com, my js-sdk running from www.example.com and a client embedding the js-sdk at www.anotherdomain.com

Both api. and www. have this for CORS in the NGINX config:

location / {
 if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' $http_origin;
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    add_header 'Access-Control-Max-Age' 1728000;
    add_header 'Content-Type' 'text/plain charset=UTF-8';
    add_header 'Content-Length' 0;
    return 204;
 }
 if ($request_method = 'POST') {
    add_header 'Access-Control-Allow-Origin' $http_origin;
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
 }
 if ($request_method = 'GET') {
    add_header 'Access-Control-Allow-Origin' $http_origin;
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
 }
}

When I run a post to a valid endpoint from anotherdomain.com I get this error:

XMLHttpRequest cannot load http://api.example.com/users. The 'Access-Control-Allow-Origin' header contains the invalid value ''. Origin 'www.anotherdomain.com' is therefore not allowed access.

Upvotes: 0

Views: 118

Answers (1)

kombucha
kombucha

Reputation: 1424

If you don't mind doing it in your application, you can directly configure CORS inside Sails by adding in config/cors.js : 

allRoutes: true

See documentation there and there for more details on the options

Upvotes: 1

Related Questions