Reputation: 371
why is a pre-flight request occurring?
My chrome extension works fine sometimes if I have another of my applications open (which doesn't use CORS). But sometimes the browser extension sends a pre-flight request and then my code doesn't work.
Here is the request header in the case when a preflight is unfortunately sent:
OPTIONS /sub_crud/Subit_backend/register HTTP/1.1
Host: www.xxxxubstantiation.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: chrome-extension://xxxxlhfmhghjhbkkkaaammfocdpib
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Access-Control-Request-Headers: content-type,x-requested-with
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
The error I get is:
"has been blocked by CORS policy: Request header field x-requested-with is not allowed by Access-Control-Allow-Headers in preflight response."
But I don't want to send a preflight and don't know why a preflight is sometimes being sent. I am wondering if the problem has something to do with Preflighted requests and redirects? also, here is the code that sets up the request:
xhr.open('POST', url, true);
// xhr.setRequestHeader("Content-type", 'text/plain');
xhr.setRequestHeader("Content-type", 'application/json');
xhr.setRequestHeader("X-Requested-With",'xmlhttprequest');
// xhr.setRequestHeader("Access-Control-Allow-Origin", '*');
I tried using text/plain as the content-type but that didn't work. I also commented out the access-control-allow-origin, but that didn't work.
Any ideas on how to stop the pre-flight? or if I can't stop the preflight, how to set up Apache to respond to it?
Additional Information******************* 1) both the browser js code and the server code (CI) are mine. 2) I really didn't even want a preflight request. Because I am sending type=application/json, the browser decided to make it OPTION. 3) My PHP function is not getting fired. I have a debugger on it too. 4) I modified the httpd.conf on the server to get include:
Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Headers "Accept,Authorization,Content-Type,Origin" Header set Access-Control-Allow-Methods "GET, POST, PATCH, PUT, DELETE" Header set Access-Control-Max-Age: 864005) the code, both the browser extension and the server have worked in the past.
Upvotes: 0
Views: 1613
Answers (1)
Reputation: 461
In CORS, a preflight request with the OPTIONS method is sent, so that the server can respond whether it is acceptable to send the request with these parameters.
See this link for more details about options http method.
So the issue is your server has not allowed CORS for header x-requested-with.
xhr.setRequestHeader("X-Requested-With",'xmlhttprequest'); // here is the issue
Now either you can comment this line or if it is required then allow this header in your server.
For setting in server you can use .htaccess file
Upvotes: 1
Related Questions
- Why is an OPTIONS request sent and can I disable it?
- What is the motivation behind the introduction of preflight CORS requests?
- What does "Response to preflight request doesn't pass access control check" mean?
- CORS: No pre-flight on GET but a pre-flight on POST
- Reason for CORS preflight request error
- CORS preflight not happening consistently
- pre-flight OPTIONS request for CORS
- It seems the pre-flight for CORS doesn't make sense. Is it a joke?
- Why aren't POST requests always preflighted?
- Why is this simple CORS request doing a pre-flight options check