Refused to get unsafe header "Location"

Question

I have a website and my REST api server.

I do ajax post request to the REST server to create new model. Answer for this request will be "HTTP/1.1 201 Created" response with header "Location: http://myapi.com/some/path/111" But I get error message Refused to get unsafe header "Location". I know that this is because of cross domain access policy and other bla bla bla.

Does anybody knows how to fix it? Maybe I have to add "Access-Controll-Allow-SOMETHINGHERE" header to the response?

UPD:

Web site URL http://www.mydomain.com/

Original URI is http://api.mydomain.com/model/ and new Location URI is http://api.mydomain.com/model/211

Original URI is used for ajax POST request, which responses with new Location header.

Answer 1

It's because Location header is not exposed to calling client (in this case your ajax code) by default (it's 'unsafe'). To expose it you have to return additional header:

Access-Control-Expose-Headers: Location

This way browser will expose it, so the client can read it. You can add there multiple comma separated headers. More about it here. Here you can read which methods, headers & content types are safe (simple) and don't require any additional configuration.

Answer 2

For Amazon S3 uploads (via Dropzone for instance) you need this in your CORS configuration.

<ExposeHeader>location</ExposeHeader>

Answer 3

header Location: http://myapi.com/some/path/111"

That piece of code is completely wrong. Use it correct, or almost corret.

Try this:

header("Location: http://myapi.com/some/path/111");

or

header("Location: http://myapi.com/some/path/111"); exit();

If this not work, let me know :-)

Answer 4

I'd just work around it, either by returning the new location as a value from the call or having the client code know where the newly created item is stored.

Another option is to create a proxy for the calls on the original domain.