Resultant handling errors in CORS a problem?
We have a reputation issue and API handling errors. If the API responds with 200 then everything works fine. However, when the API returns 409, we get a lovely one:
XMLHttpRequest cannot load https: // ** token = * . The requested resource does not have an "Access-Control-Allow-Origin" header. Therefore the original text http://127.0.0.1:9000
'is not allowed.
Response headers from the actual operation after the message:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Authorization, Accept, X-Authorization, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, If-Modified-Since
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:http://127.0.0.1:9000
Access-Control-Max-Age:1728000
Cache-Control:private, must-revalidate
Connection:keep-alive
Content-Type:text/html; charset=utf-8
Date:Fri, 29 Aug 2014 21:55:51 GMT
ETag:"*****"
Server:nginx/1.6.0
X-Frame-Options:SAMEORIGIN
X-Powered-By:HHVM/3.3.0-dev+2014.08.22
Response headers from a post operation with a 409 response captured from postman:
Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →text/html; charset=utf-8
Date →Fri, 29 Aug 2014 21:56:59 GMT
Server →nginx/1.6.0
Transfer-Encoding →chunked
X-Frame-Options →SAMEORIGIN
X-Powered-By →HHVM/3.3.0-dev+2014.08.22
Any attempt to catch the answer. Message or error handling as stated in
restangular docs results in this:
config: Object
data: ""
headers: function (name) {
status: 0
statusText: ""
I always have 0.
Let me know if you need more information.
source to share
This really has nothing to do with restangular, but with your webserver configuration.
What happens is that your webserver is not configured to return CORS headers on error.
Because of this, you cannot access any of the returned data from the ajax request, even hard data was even returned. You won't even be able to see it in the chrome network inspector (other than status code and headers). Also, since this is a security breach, you cannot even access the status code, headers or anything from javascript, everything is blocked.
However, you will be able to see it in a proxy like fiddler or charles, or when you make a request directly to the api server (in case of a GET request), because the request was actually made and the data will be returned, browser security policies simply deny access to it through AJAX due to missing CORS headers.
This does not mean that you can simply disable ajax requests to any other domain and possibly interact with it. The only reason your requests are coming in the first place is because a pre-flight OPTION request is programmed to allow CORS
Solution :
Configure your WebServer to include CORS headers in case of an error response, the headers you are looking for are available in the actual response you provided (Access-Control- *).
source to share