Play 2.6 CORS request missing Access-Control-Allow-Origin header

3,580 views
Skip to first unread message

Juliusz Gonera

unread,
Dec 7, 2017, 3:53:18 PM12/7/17
to Play Framework

I have two apps:

  1. Play 2.6.7 app running at localhost:9000
  2. webpack dev server that runs at localhost:3000

The webpack app makes a POST request to the Play app:

$.ajax({
  url: 'http://localhost:9000/users',
  data: JSON.stringify(data),
  dataType: 'json',
  method: 'POST'
})

To which the Play app responds with:

Failed to load http://localhost:9000/users: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

Only when i explicitly set the header in the Play app with:

  def create = Action { 
    Ok("stuff").withHeaders(
      "Access-Control-Allow-Origin" -> "http://localhost:3000"
    )
  }

Does the request go through without error.

My question is - why doesn't Play set this header automatically as the docs seem to suggest? My application.conf is an empty file. I've also tried setting:


play.filters.cors.exposedHeaders = ["Access-Control-Allow-Origin"]

with no success

Adam Lane

unread,
Dec 7, 2017, 4:04:06 PM12/7/17
to Play Framework
I am just guessing but I think you need this in your application.conf first:

Greg Methvin

unread,
Dec 7, 2017, 6:08:51 PM12/7/17
to play-framework
What does your cors configuration look like? You need to explicitly configure it to allow localhost:3000. See https://www.playframework.com/documentation/2.6.x/CorsFilter#Configuring-the-CORS-filter

--
You received this message because you are subscribed to the Google Groups "Play Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/f611574d-0941-4423-b884-c7f171bf12c7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Greg Methvin
Tech Lead - Play Framework

Juliusz Gonera

unread,
Dec 8, 2017, 1:14:15 PM12/8/17
to Play Framework
@Greg: I've experimented with the available settings you linked but could not find a solution. Current application.conf:

play.filters.cors {
  pathPrefixes = ["/"]
  allowedOrigins = null
  allowedHttpMethods = null
  allowedHttpHeaders = null
  exposedHeaders = ["Access-Control-Allow-Origin"]
  preflightMaxAge = 3 days
}

Results in same error:

Failed to load http://localhost:9000/users: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.


Which settings do i need?

@Adam unfortunately just adding allowActionSpecificHeaders doesn't resolve this issue

On Friday, December 8, 2017 at 12:08:51 AM UTC+1, Greg Methvin wrote:
What does your cors configuration look like? You need to explicitly configure it to allow localhost:3000. See https://www.playframework.com/documentation/2.6.x/CorsFilter#Configuring-the-CORS-filter
On Thu, Dec 7, 2017 at 1:04 PM, Adam Lane <enal...@gmail.com> wrote:
I am just guessing but I think you need this in your application.conf first:

--
You received this message because you are subscribed to the Google Groups "Play Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.

Juliusz Gonera

unread,
Dec 8, 2017, 2:30:03 PM12/8/17
to Play Framework
Oh, the CORS filter isn't enabled by default! Changing application.conf to

play.filters.enabled += play.filters.cors.CORSFilter


solves my issue. I must've been tired when posting this. Sorry about the fuss & thanks for the help!
Reply all
Reply to author
Forward
0 new messages