tonic icon indicating copy to clipboard operation
tonic copied to clipboard

Published 20 hours ago verified publisher icon peej

Trouble with cors

Open astenuz opened this issue 12 years ago • 4 comments

Hello again,

Im having trouble using cors with tonic, the headers in the response are sent but the response form the server is a 405 Method Not Allowed, im not quite sure if this is an issue with tonic, or the apache server itself.

Im currently adding the headers directly in the response.php (source), because i dont know how to add them using something like $response->header.For example i tried this in the dispatch: $response->accessControlAllowOrigin="*"; with no luck.

As for the problem at hand, these are the request(using jquery) and the response.

Request:

OPTIONS /videoserver/chatapi/chat/some_token HTTP/1.1 Host: xxx.xxx.xxx.132:7777 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Origin: http://xxx.xxx.xxx.130 Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Response

HTTP/1.1 405 Method Not Allowed Date: Thu, 18 Jul 2013 15:38:22 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.3.10-1ubuntu3.7 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Max-Age: 604800 Access-Control-Allow-Headers: x-requested-with, content-type Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 57 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html

Thanks in advance

astenuz avatar Jul 18 '13 15:07 astenuz

This isn't a problem with tonic, you are making a POST request, which requires you to also set the Access-Control-Allow-Methods: [, ]*

The W3C spec defines POST as a "simple" request, but this is not the case for most browser vendors.

drkibitz avatar Jul 18 '13 16:07 drkibitz

So is there any other thing needed to do server side?, because in the response appears the Access-Control-Allow-Methods header

astenuz avatar Jul 18 '13 18:07 astenuz

Sorry I ready that wrong, but it makes more sense now. You are allowing only the "POST" method with:

Access-Control-Allow-Methods: POST

but are making an "OPTIONS" request:

OPTIONS /videoserver/chatapi/chat/some_token HTTP/1.1

What you need is this:

Access-Control-Allow-Method: POST, OPTIONS

And any other type of request method you are planning to make with CORS. I've read a bit, and I've seen that using a wildcard here may or may not work. You can try to see if it does, but for this particular request you do need to allow the "OPTIONS" method.

drkibitz avatar Jul 19 '13 04:07 drkibitz

Actually sorry, now I'm even confusing myself, Access-Control-Request-Method: POST is in your request not response. But your request is using the OPTIONS method. Looks like something going on in your client, or client code. How was this request made? Can you test by making this request again, but changing Access-Control-Request-Method: POST to Access-Control-Request-Method: OPTIONS?

drkibitz avatar Jul 20 '13 08:07 drkibitz