Add Access-Control-Allow-Origin: * to HTTP Request (OPTIONS)

[William Bradee]

I am trying to get "Access-Control-Allow-Orign" in the header for the OPTIONS request.

I can add this to the header of the response: msg.res.set( "Access-Control-Allow-Origin" , "*"); 

but this is after the browser has failed to get the flag from OPTIONS phase. 

That is, what I see is that the request never makes from the "Http In" node to  my function node where I  set the header.

Is there a straightforward way to allow Cross Origin Resource Sharing with Node red?

[Nicholas O'Leary]

Hi,

this isn't currently possible - but is on the todo list to fix.

There are two possible approaches. I would appreciate any comments from the community as to which way to go.

1. Add a property to the HTTP Request node to configure this. This would allow different settings to be applied to each node - although it would have to be manually set on each node.

2. Add a property to settings.js that gets applied to all HTTP Request nodes - this wouldn't allow different cross origin policies to be applied to different nodes.

I'm inclined to go with option 2 - a global setting for the nodes. It preserves the ability to add a per-node option to override it in the future if there is a compelling enough use case for doing so.

Nick

--
http://nodered.org
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[William Bradee]

I like your approach #2.

via search for question on express, found http://stackoverflow.com/questions/14253574/cross-domain-cors-support-for-express-js-app :

var allowCrossDomain = function(req, res, next) {

  res.header('Access-Control-Allow-Origin', '*');

  res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');

  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');

  // intercept OPTIONS method

  if ('OPTIONS' == req.method) {

    res.send(200);

  }

  else {

   next();

  }

};

app.use(allowCrossDomain);

Then inserted in red.js after "var flowFile;"

This is brute force, ... now I see how I could add as an option just like 

if (settings.httpAuth) ....

Maybe for approach 2:

if (settings.httpAllowCrossDomain) ...

- Bill -

On Tuesday, February 11, 2014 10:04:21 PM UTC-6, William Bradee wrote:

I am trying to get "Access-Control-Allow-Orign" in the header for the OPTIONS request.

I can add this to the header of the response: msg.res.set( "Access-Control-Allow-Origin" , "*"); 

but this is after the browser has failed to get the flag from OPTIONS phase. 

That is, what I see is that the request never makes from the "Http In" node to  my function node where I  set the header.

Is there a straightforward way to allow Cross Origin Resource Sharing with Node red?

[Nicholas O'Leary]

I'll look at this properly later, but we don't want to apply it to * ... that would allow cross domain access to the admin endpoints, which is a different requirement and should be treated separately. Instead, this should only apply to OPTION requests made to end points explicitly created by the http request node.

N

[Nicholas O'Leary]

Hi,

I've just pushed an update that adds CORS support to the HTTP In node - https://github.com/node-red/node-red/commit/6b278fdceb6bf4f945a0b8a5a69c9e74021d2da8

There is now an 'httpNodeCors' option in setting.js, where cors can be configured - as with all settings, there is in-line help in the settings file.

As I mentioned before, this only applies to the HTTP In node. It does not enable CORS on the node-red admin endpoints.

Nick