Blocked by CORS policy #15280

Sa1ch · 2021-02-06T14:54:52Z

Sa1ch
Feb 6, 2021

Hello!
I use AXIOS on your frontend and pass the following headlines:

headers: { 'Authorization': 'Bearer {key}', 'Content-Type': 'application/json' }
In my bekend there is the following answer:

$di->set( 'response', function(){ $response = new Response(); $response ->setHeader("Access-Control-Allow-Origin", '*') ->setHeader("Access-Control-Allow-Methods", 'GET,POST,PUT') ->setHeader("Access-Control-Allow-Headers", '*') ->setHeader("Access-Control-Allow-Credentials", true) ->sendHeaders(); return $response; } );
An error comes in response: No 'Access-Control-Allow-Origin' header is present...
But if you remove the header Authorization, then the answer comes normally.

How to solve this problem?

renatogabrielbr · 2021-02-10T14:54:07Z

renatogabrielbr
Feb 10, 2021

How is your server configured ?
Suppose it's a nginx you need to use header on you location / { }

You can use as get,post,put if all are the same remove the if.

if ($request_method = 'GET') {
  add_header 'Access-Control-Allow-Origin' '*';
 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, HEAD, PATCH';
 add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,Access-Control-Allow-Headers,Access-Control-Allow-Headers,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-Custom-Header';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}

2 replies

Sa1ch Feb 11, 2021
Author

Thanks for the answer!
I solved this problem.
It's all about the OPTIONS preliminary request that sends a browser.

specified a route for such a request:

$api->addOptions(
        '/:controller/:action/:params',
        [
            'controller' => 'index',
            'action'     => 'options',
            'params'     => 3
        ]
    );

indexController

public function optionsRequestAction()
    {
        $this->response
            ->setHeader('Access-Control-Allow-Origin', $_SERVER["HTTP_ORIGIN"])
            ->setHeader('Access-Control-Max-Age', '0')
            ->setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT')
            ->setHeader('Access-Control-Allow-Headers', '*')
            ->setHeader('Access-Control-Allow-Credentials', 'true')
            ->sendHeaders();
    }

And everything worked!
But I look for a more elegant solution. For example, through events...

Jeckerson Feb 11, 2021
Maintainer

https://docs.phalcon.io/4.0/en/events#events-manager

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The Phalcon PHP Framework

Blocked by CORS policy #15280

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

The Phalcon PHP Framework

Blocked by CORS policy #15280

Sa1ch Feb 6, 2021

Replies: 1 comment · 2 replies

renatogabrielbr Feb 10, 2021

Sa1ch Feb 11, 2021 Author

Jeckerson Feb 11, 2021 Maintainer

Sa1ch
Feb 6, 2021

Replies: 1 comment 2 replies

renatogabrielbr
Feb 10, 2021

Sa1ch Feb 11, 2021
Author

Jeckerson Feb 11, 2021
Maintainer