I am trying to execute an x-domain request between two applications in an application. In one hand I have my own API, and on the other hand I have my "client application". I read so much about CORS; I think I know how this works, and here's the problem: it doesn't work. A simple request works, but the problem occurs when I try to execute a complex request (with credentials). I have this code for handling headers and CORS resolution:
try: _origin = self.request.headers['Origin'] except: _origin = "http://myapp" self.response.headers.add_header("Access-Control-Allow-Origin", _origin) self.response.headers.add_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS") self.response.headers.add_header("Access-Control-Allow-Credentials", "true") self.response.headers.add_header("Access-Control-Allow-Headers", "origin, x-requested-with, content-type, accept") self.response.headers.add_header('Content-Type', 'application/json') self.response.out.write( json.dumps( _response ) )
EDITED: I work with both applications in the same domain (http://app1.domain.com and http://app2.domain.com ),
Since I cannot use wildcards for a credential transfer request, I discover Origin and I install Allow-Origin in every request for this domain. In my client application, I have this code to make http requests:
jQuery.extend( { postJSON: function ( _url, _data, _callback) { $.ajax({ cache: false, crossDomain: true, url: _url, data: _data, type: 'POST', dataType: 'json', xhrFields: { withCredentials: true }, headers : { "x-requested-with" : "XMLHttpRequest" }, success: _callback, error: function() { _msg = "<strong>Error: </strong> Error en la petición HTTP (nivel de protocolo)."; _error( _msg ); } }); }
});
To process the request, I have the following methods:
@decorators.notAllowed def get(self): pass @decorators.isNotLogged @decorators.language def post(self): common._responseJSON( self, CU._doLogin( self ) ) def options(self): common._responseJSON( self, CU._doLogin( self ) )
This is the OPTIONS request and response:
Request URL:http://myapi/method Request Method:OPTIONS Status Code:200 OK Request Headers Accept:*/* Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding:gzip,deflate,sdch Accept-Language:es-ES,es;q=0.8 Access-Control-Request-Headers:origin, x-requested-with, content-type, accept Access-Control-Request-Method:POST Connection:keep-alive Host:myapi Origin:http://myapp Referer:http://myapp/ User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11 Response Headersview source Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:origin, x-requested-with, content-type, accept Access-Control-Allow-Methods:GET, POST, OPTIONS Access-Control-Allow-Origin:http://myapp Cache-Control:no-cache Content-Encoding:gzip Content-Length:114 Content-Type:application/json Content-Type:text/html; charset=utf-8 Date:Fri, 16 Nov 2012 11:31:40 GMT Server:Google Frontend Vary:Accept-Encoding
And this is an HTTP POST request:
Accept:application/json, text/javascript, */*; q=0.01 Content-Type:application/json; charset=UTF-8 Origin:http://myapp Referer:http://myapp User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11 x-requested-with:XMLHttpRequest
But when the browser tries to execute the POST request, it fails:
XMLHttpRequest cannot load http://myapi/method/. Origin http://myapp is not allowed by Access-Control-Allow-Origin.
Any idea? I'm going crazy with this problem ... What do I need to do in an OPTIONS http request? Maybe I can't handle it right: - /
Thanks in advance.