CORS policy block when consuming API via browser (CORS preflight requests)

Integration questions/issues
Post Reply
UnclePetros
Posts: 1
Joined: Wed Nov 27, 2019 6:28 pm

CORS policy block when consuming API via browser (CORS preflight requests)

Post by UnclePetros » Wed Nov 27, 2019 6:51 pm

Hello,
I'm new to this forum and new to the onlyoffice CRM.
I'm working on a web app, and I need to call onlyoffice API, client side.

I've tried many API call in postman and they all work fine.
Unfortunately the same won't happen in any browser.
Specifically, when I do authentication POST call, I always receive a CORS policy error, that is:
Access to XMLHttpRequest at 'https://myproject.onlyoffice.eu/api/2.0/authentication' from origin 'http://localhost:3000' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
After several hours, I've understood browsers when doing this specific POST call, do a preflight CORS request (because of the content-type of the post Call set to application/json);
and so, the following response header is returned by the API:

Code: Select all

Access-Control-Allow-Headers: origin, authorization, accept
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1728000
Cache-Control: private
Content-Length: 0
Date: Wed, 27 Nov 2019 18:39:21 GMT
Server: Microsoft-IIS/8.0
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
As can be noticed, the key Access-Control-Allow-Headers lacks of the content-type fields, but it should be allowed in order to pass json data for the authentication, and so the conflict.
Please could you add it to the Access-Control-Allow-Headers field? or is there any other way I could perform a POST call via browser?
I'm using node.js, javascript and axios library to execute calls.

Thank you in advance.
Pietro

Alexandre
Posts: 163
Joined: Thu Dec 12, 2019 11:08 am

Re: CORS policy block when consuming API via browser (CORS preflight requests)

Post by Alexandre » Wed Dec 18, 2019 8:58 am

Hello.
Sorry for delayed response.
We don’t allow this header for POST requests to SaaS solution at this moment. You can use another format for Content-Type: application/x-www-form-urlencoded according to documentation https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.
We are going to add this header with the next release SaaS portal v.10.5.1.

Post Reply