Our website uses the HTML5 API to call our NodeJS support team for specific actions. Our backend is in a different domain on the main website, so we enabled CORS in the Node app. This works for 99% of our customers.
However, one client was having problems. They try to access our site from their workplace (perhaps their network at the workplace has higher security settings ..?), And they get the following error:
api.our- node -backend.com/blah Failed to load the resource: the server responded with a status of 403 (Forbidden) book: 1 Fetch API cannot load https://api.our-node-backend.com/blah . The response to the preflight request does not pass the access control check: No "Access-Control-Allow-Origin" header is present on the requested resource. of origin is ' https://www.our-frontend-website.com ' so access is not allowed. The response had an HTTP status code of 403. If an opaque response caters to your needs, set the request mode to "no-cors" to get the resource with CORS disabled.
Our Node application is currently configured as follows:
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
next();
});
app.options('*', function(req, res) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
res.status(200).send();
});
- ? Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept" "Content-Type". ?