Only CORS on OPTIONS?

[mbrucher]

trafficstars

I'm trying to fix a problem with CORS on my web app. I have the following CORS call:

CORS(app, resources=[r'/api/*', r'/auth/*'], origins=[r'^https://.*xxxx\.org$'], supports_credentials=True, vary_header=True)

I see the OPTIONS call in Chrome's debug as expected:

access-control-allow-credentials: true
access-control-allow-headers: content-type
access-control-allow-methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
access-control-allow-origin: https://xxxx.xxxx.org
allow: POST, OPTIONS

But then the POST call fails and I don't see the call on the backend:

'Access to XMLHttpRequest at 'https://api.xxxx.xxxx.org/search' from origin 'https://xxxx.xxxx.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.'

Is there something I missed that I should check? The headers are lower case, maybe that's the problem?

[mbrucher]

I thought it was a JWT issue as well, as it happens only on flask-JWT-extended protected entry points, but it looks like if I remove the protection and put it in the code (so instead of being JWT->CORS->code, it's CORS->code->JWT), I still hav the same problems and no calls to the API.

[corydolphin]

Hey @mbrucher sorry for the delay.

If you enable debug logging, there should be more verbose information on the Python side about what is happening, and why. Offhand, that configuration looks good to me.

Set logging.getLogger('flask_cors').level = logging.DEBUG to enable verbose logging.

Cheers, Cory