It’s not clear to me if the CORS headers (Access-Control-Allow-Origin, etc.) should be present only in the preflight request (OPTIONS method) or also in the resource headers (which I am trying to execute POST using XHR)
I ask this because I installed a python plugin that handles cors, adding CORS headers to OPTIONS (pre-flight) methods, but not to the requested resource, this approach DOES NOT solve the cors problem on chrome and firefox, returning messages like
Cross-request request blocked: A policy of the same origin prohibits reading the remote resource in [URL]. This can be fixed by moving the resource to the same domain or enabling CORS.
Edit:
I also found additional information about http://www.html5rocks.com/en/tutorials/cors/ which says:
Access-Control-Allow-Origin (required) - this header should be included in all valid CORS responses; a header exception will cause CORS to fail. The header value can either echo-source the request header (as in the example above) or "*" to allow requests from any source. If youd, like any site, to access your data using '*', are fine. But if you like finer control over who can access your data, use the actual value in the header.
source
share