No 'Access-Control-Allow-Origin' header is present when origin is allowed

[Kenny Williams]

When I try and request a resource from a cljs app (running on http://localhost:3000) to my Pedestal server (running on http://localhost:8080) I get the below error. I would like to allow CORS from http://localhost:3000:

XMLHttpRequest cannot load http://localhost:8080/db/query. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

I am using cljs-http to send the request from the client. The request looks something like this:

(defn load-server-data
  []
  (go
    (let [q (<! (http/post "http://localhost:8080/db/query"
                           {:edn-params {:query '[:find ?rep ?last
                                                  :where
                                                  [?rep :sales-rep/first-name ?last]]}}))]
      (println "q" q))))

The route for /db/query looks like this:

(defroutes routes
           [[["/db"
              {:post handlers/db-post}
              ["/query" {:post handlers/db-query}
               ^:interceptors [interceptors/edn-interceptor]]]]])

This is the handler for /db/query:

(defn db-query
  [req]
  (let [edn-params (:edn-params req)
        q (:query edn-params)
        args (:args edn-params)
        q-result (apply d/q q (d/db conn) args)]
    {:status 200
     :body   (pr-str q-result)}))

To run the server I execute this function in the REPL.

(defn run-dev
  "The entry-point for 'lein run-dev'"
  [& args]
  (println "\nCreating your [DEV] server...")
  (-> service/service
      (merge {:env                     :dev
              ::server/join?           false
              ::server/routes          #(deref #'service/routes)
              ::server/allowed-origins {:creds true :allowed-origins ["http://localhost:3000"]}})
      server/default-interceptors
      server/dev-interceptors
      server/create-server
      server/start))

There does not seem to be much information around CORS for Pedestal. I have looked at the cors example but it seems to just work while mine does not. Is there another interceptor I need to add to my routes or some sort of configuration setting that I am missing here?

[Avi Avicenna]

Hi Kenny,

for now, try changing the service entry

::server/allowed-origins {:creds true :allowed-origins ["http://localhost:3000"]}

to

::server/allowed-origins {:creds true :allowed-origins (constantly true)}

[Kenny Williams]

I have tried that and I get a similar error:

XMLHttpRequest cannot load http://localhost:8080/db/query. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

[Dustin Getz]

I suffered through this error too, i don't quite recall everythign and i haven't kicked the tires on this project in several months, but

https://github.com/hypercrud/seattle-service/blob/master/dev/dev.clj#L17-L18

this has to line up with cljs-http request

https://github.com/r0man/cljs-http/blob/master/src/cljs_http/core.cljs#L46-L55

[Dustin Getz]

You're not the first cljs-http user with this problem, see https://github.com/r0man/cljs-http/issues?utf8=%E2%9C%93&q=cors

[Kenny Williams]

Right. As far as I am concerned they do line up. I posted my cljs-http request above. I was under the assumption that there was some sort of special headers that needed to be set server side. Could this be a cljs-http request problem? 

[Dustin Getz]

There may be a type error in your pedestal config, my allowed-origins is a function, yours is a list?

--
You received this message because you are subscribed to the Google Groups "pedestal-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pedestal-user...@googlegroups.com.
Visit this group at http://groups.google.com/group/pedestal-users.

[Kenny Williams]

I have updated my allowed-origins to this:

::server/allowed-origins {:creds true :allowed-origins (constantly true)}

To unsubscribe from this group and stop receiving emails from it, send an email to pedestal-users+unsubscribe@googlegroups.com.

[Dustin Getz]

Sorry if this is dumb, I am using :any in my pedestal handlers, can you confirm your browser sees the cors preflight response? (Do you see the OPTIONS request and response in your devtools, can you paste it here?) Maybe pedestal is not responding to the OPTIONS request.

"Unlike simple requests (discussed above), "preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send." https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

[Kenny Williams]

I do see the OPTIONS request. Here is the request: 

1. OPTIONS /db/query HTTP/1.1
   Host: localhost:8080
   Connection: keep-alive
   Pragma: no-cache
   Cache-Control: no-cache
   Access-Control-Request-Method: POST
   Origin: http://localhost:3000
   X-FirePHP-Version: 0.0.6
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
   Access-Control-Request-Headers: content-type
   Accept: */*
   Referer: http://localhost:3000/index.html?role=sales
   Accept-Encoding: gzip, deflate, sdch
   Accept-Language: en-US,en;q=0.8

And the response: 

1. HTTP/1.1 200 OK
   Date: Thu, 22 Oct 2015 17:39:05 GMT
   Access-Control-Allow-Origin: http://localhost:3000
   Access-Control-Allow-Headers: Content-Type, content-type, Origin, Host, User-Agent, Access-Control-Request-Headers, Referer, Connection, Pragma, Accept, Accept-Language, Access-Control-Request-Method, Accept-Encoding, X-Firephp-Version, Cache-Control
   Access-Control-Allow-Methods: GET, POST, PUT, DELETE, HEAD, PATCH, OPTIONS
   Access-Control-Allow-Credentials: true
   Transfer-Encoding: chunked
   Server: Jetty(9.2.0.v20140526)

[Kenny Williams]

Oh, and here is the actual POST request:

1. POST /db/query HTTP/1.1

1. 
   Host: localhost:8080
   Connection: keep-alive
   

1. Content-Length: 69
   Pragma: no-cache
   Cache-Control: no-cache
   

1. Origin: http://localhost:3000
   X-FirePHP-Version: 0.0.6
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
   

1. Content-Type: application/edn
   Accept: */*

1. 
   Referer: http://localhost:3000/index.html?role=sales
   Accept-Encoding: gzip, deflate
   

1. Accept-Language: en-US,en;q=0.8

And the response:

1. HTTP/1.1 200 OK
   Date: Thu, 22 Oct 2015 17:39:05 GMT
   

1. Content-Type: text/plain
   Transfer-Encoding: chunked
   Server: Jetty(9.2.0.v20140526)

I am still getting this error:

XMLHttpRequest cannot load http://localhost:8080/db/query. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

[Dustin Getz]

What does the POST request/response look like if you configure cljs-http to send credentials? (cljs-http.client/post url {:with-credentials? true})

[Dustin Getz]

It looks to me like a problem in pedestal, shouldn't this code get it for the actual (not-preflight) response? Clearly pedestal is allowing the response, its the browser that is not letting us see the response, because there is a missing header. https://github.com/pedestal/pedestal/blob/7d3895d0ed06f47555644ed560a49b1ab311d7ab/service/src/io/pedestal/http/cors.clj#L86-L89

I would expect to see Access-Control-Allow-Origin: http://localhost:3000 in the response if pedestal was functioning correctly, like we do in the preflight response.

[Dustin Getz]

In fact isn't this line putting the :cors-headers in the wrong place in the context? :cors-headers need to be under :response, not directly in :context. ... Upon further inspection i dont think this is happening: "(update-in context [:response :headers] merge cors-headers)"

https://github.com/pedestal/pedestal/blob/7d3895d0ed06f47555644ed560a49b1ab311d7ab/service/src/io/pedestal/http/cors.clj#L88

i think this is a pedestal bug

[Dustin Getz]

Could you be doing anything in your app code handler  that breaks this condition? for example an exception in middleware or something that causes there to not be a response? Maybe you have an auth interceptor that is throwing? (Randomly thorwing things out it has been a while and i dont remember what all could cause there to not be a response) I think it's time to break out the cursive clojure debugger

[Kenny Williams]

I have figured out the problem. It turns out that an error was being thrown, however, it was getting swallowed and hidden from my debugger. Simply adding a try catch around my handler function fixes the problem.

(defn db-query
  [req]
  (try

    (let [edn-params (:edn-params req)
          q (:query edn-params)
          args (:args edn-params)
          q-result (apply d/q q (d/db conn) args)]
      {:status 200
       :body   (pr-str q-result)})

    (catch Exception ex
      {:status 400
       :body   "Not authorized"})))

[alan09...@gmail.com]

XMLHttpRequest cannot load http://10.6.7.25:8085/accesstoken. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 400.

Cors enabled, still getting this error; only for this uri in the API.
others are working fine

[pandianf...@gmail.com]