Reputation: 825
CORS Preflight 403, but I have proper header
Working on an ionic app that calls an api on a webserver for database interaction. I've done this once before and copied the code from that project, but it isn't working.
Here are the headers I have on the php webserver:
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Methods: GET, HEAD, OPTIONS, POST, PUT, DELETE");
header("Access-Control-Allow-Headers: Authorization, Origin, X-Requested-With, Content-Type, Accept");
header("Access-Control-Expose-Headers: Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
And this is the error I get when I try and fire off a POST from the app:
Cross-Origin Read Blocking (CORB) blocked cross-origin response <url remove by me> with MIME type text/html.
Failed to load <url removed by me>: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.
The status code is 403 Forbidden
It took some fiddling around to get the headers to work for the previous project, and these are the same set of headers. It is hosted on a different server this time, but I'm not sure if that makes any difference for CORS. The file exists and that is the correct path to it. If I navigate directly to the api page, the headers show Access-Control-Allow-Origin *... but trying to get it from the app just isn't working.
Any help is appreciated. CORS can be such a pain.
Upvotes: 2
Views: 12063
Answers (2)
Reputation: 825
Thanks for all your suggestions yesterday, I finally figured out what it was. After nothing seemed to make any difference or change in the response I contacted the hosting company. Turns out they block OPTIONS requests on the lowest hosting tier.
So if anyone else runs into this, contact your hosting company and see if it is on their end.
Upvotes: 4
Reputation: 944430
A preflight request cannot include cookies or other common authentication headers and must receive a 200 OK response.
Your server is responding with 403 Forbidden. You need to exclude OPTIONS requests from the requirement to be authorised.
If I navigate directly to the api page
… then you are making a GET request, not a preflight OPTIONS request.
Upvotes: 2
Related Questions
- CORS: PHP: Response to preflight request doesn't pass. Am allowing origin
- cors error header disallowed by preflight response
- CORS preflight request returning HTTP 405
- Angular-PHP CORS request blocked
- php api rest does not accept cors requests even using header ('Access-Control-Allow-Origin: *');
- Angular CORS simple request triggers preflight with Authorization header in POST
- CORS AJAX-request fails even though the correct headers are specified
- Angular $http: Response for preflight has invalid HTTP status code 403
- angularjs and PHP : Request header field Access-Control-Allow-Origin is not allowed by Access-Control-Allow-Headers in preflight response
- AngularJS not sending request after CORS preflight response