CORS Failure with RestHelper

190 views
Skip to first unread message

Igor Urisman

unread,
Mar 20, 2016, 2:46:02 PM3/20/16
to lif...@googlegroups.com
Hello,

I have a web server that needs to be accessed in cross-origin fashion, which will require the request to be pre-flighted. I realize that I can do it with a container provided filter, but that's not great for my use case — I'd much rather prefer to sink this logic into the app, which happens to be a Lift app.

With the server running locally, the following curl statement succeeds:

curl -i -v -H 'Content-Type: application/json' -X post -d '{"sid":"SESSIONID",  "value":"VALUE", "parameterS":{"foo":"bar"}}' http://localhost:8080/event

The relevant snipped in RestHelper:

serve {
    ...
    case "event" :: Nil JsonPost json -> req => postEvent(json)
}

In LiftBoot, I defined the following supplemental headers:

LiftRules.supplementalHeaders.default.set(
  List(
    ("X-Lift-Version", LiftRules.liftVersion),
    ("Access-Control-Allow-Origin", "*"),
    ("Access-Control-Allow-Content-Type", "application/json"),
    ("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH"),
    ("Access-Control-Allow-Headers", "Cookie, Host, X-Forwarded-For, Accept-Charset, If-Modified-Since, Accept-Language, X-Forwarded-Port, Connection, X-Forwarded-Proto, User-Agent, Referer, Accept-Encoding, X-Requested-With, Authorization, Accept, Content-Type")
         ))


Finally, this is the JavaScript that makes the request (via jQuery $.ajax()):

$.ajax({
      url: "http://localhost:8080/event",
      method: "POST",
      data: "{}",
      contentType: "application/json; charset=utf-8",
      success: function(data) {
         console.log(data);
      },
      error:function(jqXHR){
         throw Error("Bad response from Variant server: " + jqXHR.status + " " + jqXHR.statusText);
      }
   });

This request fails with this error on FF:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/event. (Reason: CORS preflight channel did not succeed).

And with this error on Chrome:
XMLHttpRequest cannot load http://localhost:8080/event. Response for preflight has invalid HTTP status code 404

It appears that the problem isn't that the OPTIONS request never makes it. Do I need a handler for that? Has someone had to solve this.

Many thanks in advance,
Igor Urisman

Matt Farmer

unread,
Mar 20, 2016, 5:27:12 PM3/20/16
to Lift
Hi Igor,

Interesting. Some of the security additions in 3.0 could be responsible for that. Hmmm. Are you able to reproduce the bug you’re seeing in a small sample project and publish that? We could go back and forth with fifty million questions, but it may just be quicker for me to take a look at a live project exhibiting the bug and play around in it.

Will you be able to set that up for me?

Thanks,

Matt


Matt Farmer | Blog | Twitter
GPG: CD57 2E26 F60C 0A61 E6D8  FC72 4493 8917 D667 4D07

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Antonio Salazar Cardozo

unread,
Mar 21, 2016, 12:01:53 AM3/21/16
to Lift
A sample project would definitely be helpful. I don't think the 3.0 security stuff
would be responsible here.

Just to check something obvious as well: has the relevant RestHelper been
added to LiftRules.dispatch? Did you set up handling for the OPTIONS request?
Out of the box JsonPost will only respond POST requests. Additionally, the
supplemental headers will always be appended if you use `supplementalHeaders`,
while only the preflight request really needs to have those access control
headers.
Thanks,
Antonio
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.

Igor Urisman

unread,
Mar 21, 2016, 12:43:04 AM3/21/16
to lif...@googlegroups.com
Thanks to you both, Matt and Antonio.  This is useful: I do not, in fact, have a handler
for OPTIONS.  I think I mentioned that in my original long-winded post. I can see now
that there is OptionsRequest. I'll tinker with it a bit and report back. In the mean time,
if there's a code sample you could share, I'd appreciate it.
-Igor.


To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.

Igor Urisman

unread,
Mar 28, 2016, 9:49:10 PM3/28/16
to lif...@googlegroups.com
Matt, Antonio —

Looks like I got it to work and here's the min configuration that worked for me.
Since there's little on the web on this, I thought I'd post it to the list.

1. I process the OPTIONS response in RestHelpter as follows:
  
serve {
  case "event" :: Nil Options req => options(req)
  ...
}

...
def options(req: Req): LiftResponse = {
  val headers = S.getResponseHeaders(List(
    ("Access-Control-Allow-Methods", "*"),
    ("Access-Control-Allow-Headers", "origin, content-type, accept")))
  PlainTextResponse("", headers, HttpStatus.SC_OK)
}

  
2. Looks like I also need to send 2 headers back with every regular response, so I added this
to Lift boot:

LiftRules.supplementalHeaders.default.set(
  List(

    ("Access-Control-Allow-Origin", "*"),
    ("Access-Control-Allow-Credentials", "true")))

Thanks again,
-Igor.

Antonio Salazar Cardozo

unread,
Mar 28, 2016, 11:28:56 PM3/28/16
to Lift
Nice! Thanks so much for sending us the final solution! Glad you
got it working, too :)
Thanks,
Antonio
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages