CORS / preflight OPTIONS request
894 views
Skip to first unread message
Thomas Martino
Dec 16, 2013, 10:45:53 PM12/16/13
to aran...@googlegroups.com
I have tried a variety of ways and tools, any suggestions would be appreciated and confirmation that when done correctly it does work would be very appreciated. Thank you.
void preflight(Event e, var detail, Node target) {
e.preventDefault(); // Don't do the default submit.
invocation = new HttpRequest();
var url = 'http://localhost:8529/_api/';
var body = '';
invocation.open('OPTIONS', url);
invocation.onReadyStateChange.listen(onDat);
invocation.send(body);
}
Failed to load resource: the server responded with a status of 405 (Method Not Supported)
http://localhost:8529/_api/
Failed to load resource: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:3030' is therefore not allowed access.
http://localhost:8529/_api/
XMLHttpRequest cannot load http://localhost:8529/_api/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:3030' is therefore not allowed access.
Arangodb Log: 2013-12-17T03:27:17Z [1077] WARNING got corrupted HTTP request 'OPTION'
Jan Steemann
Dec 17, 2013, 2:58:32 AM12/17/13
to aran...@googlegroups.com
Hi Thomas,
could you let us know which browser (if a browser) and which ArangoDB
version you tried this with?
Then it might be easier for us to figure out.
If you want to, you can check out this browser-based example (inspired
by http://www.html5rocks.com/en/tutorials/cors/), which should work:
function createCORSRequest(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
// XHR for Chrome/Firefox/Opera/Safari.
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined") {
// XDomainRequest for IE.
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
// CORS not supported.
xhr = null;
}
return xhr;
}
// Make the actual CORS request.
function makeCorsRequest() {
// All HTML5 Rocks properties support CORS.
var url = 'http://127.0.0.1:8529/_api/version'; // insert URL here
var xhr = createCORSRequest('GET', url);
if (! xhr) {
alert('CORS not supported');
return;
}
// Response handlers.
xhr.onload = function() {
var text = xhr.responseText;
console.log(text);
};
xhr.onerror = function() {
alert('Woops, there was an error making the request.');
};
xhr.send();
}
makeCorsRequest();
If you run arangod with trace logging enabled (--log.level trace) then
it should emit the following log data:
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:217]
HTTP READ FOR 0x7fe980000ee0:\nGET /_api/version HTTP/1.1\r\nHost:
127.0.0.1:8529\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0\r\nAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:
de-de,en-us;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nDNT:
1\r\nOrigin: null\r\nConnection: keep-alive\r\n\r\n
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:261]
server port = 8529, client port = 56754
2013-12-17T07:49:50Z [2999] TRACE
[lib/HttpServer/HttpHandlerFactory.cpp:313] found handler for path
'/_api/version'
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:633]
handling CORS response
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:692]
HTTP WRITE FOR 0x7fe980000ee0:\nHTTP/1.1 200
OK\r\naccess-control-allow-credentials: true\r\nserver:
ArangoDB\r\naccess-control-allow-origin: null\r\ncontent-type:
application/json; charset=utf-8\r\nconnection:
Keep-Alive\r\ncontent-length:
37\r\n\r\n{"server":"arango","version":"1.4.3"}
As you can see, the server sent the "access-control-allow-origin" header
back as it was sent to it by the client.
The reasons for the server not responding with the appropriate header in
your case is probably due to that you send an HTTP OPTIONS request
without the "origin" header.
If you simply issue an HTTP OPTIONS request to the server without
sending the "origin" header, you won't get an
"access-control-allow-origin" header back:
> curl --dump - -X OPTIONS http://127.0.0.1:8529/_api/version
HTTP/1.1 200 OK
server: ArangoDB
allow: DELETE, GET, HEAD, PATCH, POST, PUT
content-type: text/plain; charset=utf-8
connection: Keep-Alive
content-length: 0
Instead, if you send the "origin" header to the server, it will reply
with the "access-control-allow-origin" header:
> curl -H "Origin: something" --dump - -X OPTIONS
http://127.0.0.1:8529/_api/version
HTTP/1.1 200 OK
access-control-allow-credentials: true
connection: Keep-Alive
access-control-allow-methods: DELETE, GET, HEAD, PATCH, POST, PUT
access-control-max-age: 1800
allow: DELETE, GET, HEAD, PATCH, POST, PUT
server: ArangoDB
content-type: text/plain; charset=utf-8
access-control-allow-origin: something
content-length: 0
I hope this helps.
Best regards
Jan
> --
> You received this message because you are subscribed to the Google
> Groups "ArangoDB" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to arangodb+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
could you let us know which browser (if a browser) and which ArangoDB
version you tried this with?
Then it might be easier for us to figure out.
If you want to, you can check out this browser-based example (inspired
by http://www.html5rocks.com/en/tutorials/cors/), which should work:
function createCORSRequest(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
// XHR for Chrome/Firefox/Opera/Safari.
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined") {
// XDomainRequest for IE.
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
// CORS not supported.
xhr = null;
}
return xhr;
}
// Make the actual CORS request.
function makeCorsRequest() {
// All HTML5 Rocks properties support CORS.
var url = 'http://127.0.0.1:8529/_api/version'; // insert URL here
var xhr = createCORSRequest('GET', url);
if (! xhr) {
alert('CORS not supported');
return;
}
// Response handlers.
xhr.onload = function() {
var text = xhr.responseText;
console.log(text);
};
xhr.onerror = function() {
alert('Woops, there was an error making the request.');
};
xhr.send();
}
makeCorsRequest();
If you run arangod with trace logging enabled (--log.level trace) then
it should emit the following log data:
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:217]
HTTP READ FOR 0x7fe980000ee0:\nGET /_api/version HTTP/1.1\r\nHost:
127.0.0.1:8529\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0\r\nAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:
de-de,en-us;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nDNT:
1\r\nOrigin: null\r\nConnection: keep-alive\r\n\r\n
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:261]
server port = 8529, client port = 56754
2013-12-17T07:49:50Z [2999] TRACE
[lib/HttpServer/HttpHandlerFactory.cpp:313] found handler for path
'/_api/version'
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:633]
handling CORS response
2013-12-17T07:49:50Z [2999] TRACE [./lib/HttpServer/HttpCommTask.h:692]
HTTP WRITE FOR 0x7fe980000ee0:\nHTTP/1.1 200
OK\r\naccess-control-allow-credentials: true\r\nserver:
ArangoDB\r\naccess-control-allow-origin: null\r\ncontent-type:
application/json; charset=utf-8\r\nconnection:
Keep-Alive\r\ncontent-length:
37\r\n\r\n{"server":"arango","version":"1.4.3"}
As you can see, the server sent the "access-control-allow-origin" header
back as it was sent to it by the client.
The reasons for the server not responding with the appropriate header in
your case is probably due to that you send an HTTP OPTIONS request
without the "origin" header.
If you simply issue an HTTP OPTIONS request to the server without
sending the "origin" header, you won't get an
"access-control-allow-origin" header back:
> curl --dump - -X OPTIONS http://127.0.0.1:8529/_api/version
HTTP/1.1 200 OK
server: ArangoDB
allow: DELETE, GET, HEAD, PATCH, POST, PUT
content-type: text/plain; charset=utf-8
connection: Keep-Alive
content-length: 0
Instead, if you send the "origin" header to the server, it will reply
with the "access-control-allow-origin" header:
> curl -H "Origin: something" --dump - -X OPTIONS
http://127.0.0.1:8529/_api/version
HTTP/1.1 200 OK
access-control-allow-credentials: true
connection: Keep-Alive
access-control-allow-methods: DELETE, GET, HEAD, PATCH, POST, PUT
access-control-max-age: 1800
allow: DELETE, GET, HEAD, PATCH, POST, PUT
server: ArangoDB
content-type: text/plain; charset=utf-8
access-control-allow-origin: something
content-length: 0
I hope this helps.
Best regards
Jan
> You received this message because you are subscribed to the Google
> Groups "ArangoDB" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to arangodb+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Thomas Martino
Dec 17, 2013, 5:39:54 PM12/17/13
to aran...@googlegroups.com
Thank you, how frustrating - there was an old arangod in my sbin. Was not loading v1.4, it was the curl recommendation that set me straight - the simple curl also responded with 405.
Works perfectly !!
Jan Steemann
Dec 18, 2013, 2:34:18 AM12/18/13
to aran...@googlegroups.com
I am happy it works now!
Best regards
Jan
Best regards
Jan
Reply all
Reply to author
Forward
0 new messages