cors not working with liberator

[Prikshet Sharma]

I have the following system.components middleware config, in which I'm using the ring.middleware wrap-cors, to allow for redirects to an external server:

```

(defn config []

  {:http-port  (Integer. (or (env :port) 5000))

   :middleware [[wrap-defaults api-defaults]

                wrap-with-logger

                wrap-gzip

                ignore-trailing-slash

                [wrap-reload {:dir "../../src"}]

                [wrap-trace :header :ui]

                wrap-params

                wrap-keyword-params

                wrap-cookies

                [wrap-cors :access-control-allow-headers #{"accept"

                                                            "accept-encoding"

                                                            "accept-language"

                                                            "authorization"

                                                            "content-type"

                                                           "origin"}

                 :access-control-allow-origin [#"https://some-url"]

                 :access-control-allow-methods [:delete :get

                                                :patch :post :put]]

                ]})

```

And this is supposed to insert headers into every response. But instead, on a request from the client which leads to a redirect to https://some-url, I get the following error in the client browser:

```

Access to XMLHttpRequest at 'https://someurl' (redirected from 'http://localhost:5000/some-uri') from origin 'http://localhost:5000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

```

Why aren't the correct headers in the response despite adding the middleware?

-- EDIT --

I've also tried the [jumblerg.middleware.cors] wrap-cors middleware like so:

```

(defn config []

  {:http-port  (Integer. (or (env :port) 5000))

   :middleware [[wrap-defaults api-defaults]

                wrap-with-logger

                wrap-gzip

                ignore-trailing-slash

                [wrap-reload {:dir "../../src"}]

                [wrap-trace :header :ui]

                wrap-params

                wrap-keyword-params

                wrap-cookies

                [wrap-cors #".*"]

                ]})

```

And have added the headers using liberator like so:

```

(defresource some-route [redirect-uri]

  :available-media-types ["application/json"]

  :allowed-methods [:post]

  :post-redirect? true

  :as-response (fn [d ctx]

                 ;; added headers

                 (-> (as-response d ctx)

                     (assoc-in [:headers "Access-Control-Allow-Origin"] "*")

                     (assoc-in [:headers "Access-Control-Allow-Headers"] "Content-Type")

                     )

                 )

   ;; redirect uri

  :location redirect-uri

 

  )

```

But still get the ````No 'Access-Control-Allow-Origin' header is present on the requested resource.``` error

[Philipp Meier]

Am Donnerstag, 5. März 2020 11:15:34 UTC+1 schrieb Prikshet Sharma:

I have the following system.components middleware config, in which I'm using the ring.middleware wrap-cors, to allow for redirects to an external server:

```

Why aren't the correct headers in the response despite adding the middleware?

Can you past5e the actual response headers you get?

[Prikshet Sharma]

Here's the response:

{:cached nil,

 :request-time 133,

 :repeatable? false,

 :protocol-version {:name "HTTP", :major 1, :minor 1},

 :streaming? true,

 :http-client

 #object[org.apache.http.impl.client.InternalHttpClient 0x1499ee2f "org.apache.http.impl.client.InternalHttpClient@1499ee2f"],

 :chunked? true,

 :reason-phrase "OK",

 :headers

 {"Server" "ESF",

  "Content-Type" "text/html; charset=utf-8",

  "Alt-Svc"

  "quic=\":443\"; ma=2592000; v=\"46,43\",h3-Q050=\":443\"; ma=2592000,h3-Q049=\":443\"; ma=2592000,h3-Q048=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000",

  "X-Frame-Options" "SAMEORIGIN",

  "Connection" "close",

  "Pragma" "no-cache",

  "Transfer-Encoding" "chunked",

  "Expires" "Mon, 01 Jan 1990 00:00:00 GMT",

  "Date" "Fri, 06 Mar 2020 00:17:35 GMT",

  "X-XSS-Protection" "0",

  "Content-Security-Policy"

  "script-src 'report-sample' 'nonce-KOSbeSyc6er9kVm1mlOYhw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport",

  "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate",

  "Content-Language" "en-US"},

 :orig-content-encoding nil,

 :status 200,

 :length -1,

 :body

 "<!DOCTYPE html><html><head><title>Forwarding ...</title><meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1, minimum-scale=1, maximum-scale=1, user-scalable=0\"><script src='https://ssl.gstatic.com/accounts/o/4145983012-xsrfstatemanager.js' nonce=\"KOSbeSyc6er9kVm1mlOYhw\"></script></head><body ><noscript><meta http-equiv=\"refresh\" content=\"0;url=/o/noscript\"></noscript>\n<!-- framebuster code starts here -->\n<style nonce=\"KOSbeSyc6er9kVm1mlOYhw\">plaintext{display:none}</style>\n<script nonce=\"KOSbeSyc6er9kVm1mlOYhw\">\n(function(){\ntry{\n    var win=this;\n    while(\"<plaintext>\"){\n       if(win.parent==win)\n          break;\n       eval(\"win.frameElement.src\").substr(0,1);\n       win=win.parent;\n    }\n    if(win.frameElement!=null)throw 'busted';\n    document.write(\"\\x3Cxmp style\\x3Ddisplay:none\\x3E\");\n}catch(e){\n    try{\n        if(!open(location,'_top'))\n           alert('this content cant be framed');\n   top.location=location;\n    }catch(e){}\n}\n})();\n</script>\n<!-- do not remove the plaintext nor xmp tags -->\n<plaintext/><xmp>.</xmp>\n<!-- framebuster code ends here -->\n<script type=\"text/javascript\" nonce=\"KOSbeSyc6er9kVm1mlOYhw\">xsrfstatemanager.chooseKeyAndRedirect( 'https:\\/\\/accounts.google.com\\/signin\\/oauth?client_id\\x3d826989245822-4c0jevn3q5n36bg80aq0dmnndt90vsv7.apps.googleusercontent.com\\x26as\\x3dqsvv35IERiS-TL5seRYhmQ\\x26destination\\x3dhttp:\\/\\/localhost:10555\\x26approval_state\\x3d!ChRlZHA5TDdheEZiM2UtUHBGZ0NCQhIfbzRJeDFRQ1drdW9UVUU3MWpGWk5XazBUMDBYVENoYw%E2%88%99AF-3PDcAAAAAXmLoH1QejAaAk8NvRN1gI6_td-cmuxjg\\x26oauthgdpr\\x3d1\\x26xsrfsig\\x3dChkAeAh8T6crvxpg2HfjPIKqzKagbEplnb0qEg5hcHByb3ZhbF9zdGF0ZRILZGVzdGluYXRpb24SBXNvYWN1Eg9vYXV0aHJpc2t5c2NvcGU', 'oRt5lPNXBXLBkX8MuN_0D5oZ2tkG8-o6e_OOAzeV57c', 'OCAK',true,true, 'https:\\/\\/accounts.google.com\\/o\\/nocookie');</script></body></html>",

 :trace-redirects

 ["https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=826989245822-4c0jevn3q5n36bg80aq0dmnndt90vsv7.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A10555%2Fdriver%2Fauth%2Fgoogle%2Fcallback&scope=profile%20email&state=mytoken"]}

I also tried the following:

  :handle-ok (fn [ctx] (ring-response

                        {:headers {"Access-Control-Allow-Origin" "*"

                                   "Access-Control-Allow-Headers" "Content-Type"}

                         }

                        ))

But still nothing.

[Philipp Meier]

is this a response to a GET request? It's hard to follow the wait it's posted. You need to implement response to the OPTIONS request, too. Implement `handle-options` for that.

Can you send an OPTIONS request with `curl` or `postman` to the resource?