Geek Answers Handbook

CORS: PHP: response to preflight request fails. Allow origin

So, I know that there are a lot of CORS posts, and I just add to them, but I can not find the answers that help me. Therefore, I am creating an angular 4 application that relies on my php api. Working locally is good when I toss it in the domain using the app in app.example.com, and api at api.example.com, I can’t get past my login, because I get the following error:

XMLHttpRequest cannot load http://api.example.com/Account/Login . The response to the preflight request does not pass the access control check: No The header of the Access-Control-Allow-Origin header is present in the requested resource. Origin ' http://app.example.com ' so access is not allowed.

My PHP code is as follows:

$http_origin = $_SERVER['HTTP_ORIGIN'];

$allowed_domains = array(
    'http://example.com',
    'https://example.com',
    'http://app.example.com',
    'https://app.example.com',
    'http://www.example.com',
    'https://www.example.com'
);

if (in_array(strtolower($http_origin), $allowed_domains))
{  
    // header("Access-Control-Allow-Origin: *");
    header("Access-Control-Allow-Origin: $http_origin");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');
}

// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
        header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
        header("Access-Control-Allow-Headers: Authorization, Content-Type,Accept, Origin");
    exit(0);
}

My angular post is as follows:

public login(login: Login): Observable<LoginResponse> {
    let headers = new Headers();
    headers.append('Content-Type', 'application/x-www-form-urlencoded');
    headers.append('Authorization', 'Basic ' + btoa(login.Username + ':' + login.Password));
    return  this.http.post(this.apiBaseUrl + '/Account/Login', "grant_type=client_credentials", { headers: headers })
        .map(response => {
            // code
        });
}

If I run the request through a postman who does not bother CORS, I get:

{ "error": "invalid_client", "error_description": "Client credentials were not found in the headers or body" }

I tried setting the source to " *" to check if this is the core of the problem, and still doesn't work the same way.

Edit Just update the information below. Changing the casing in the headers had no effect, and pulling the code from their if statements had no effect.

php, , api, php , . if.

2 , - - , .

3 .htaccess, php, . , , , .

{"error":"invalid_client","error_description":"Client credentials were not found in the headers or body"}

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:authorization, content-type, accept, origin
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:*

* , . *.

.

Headers for failed request

+6
2

OK , - .htaccess.

-, OPTIONS, , "" . , OPTIONS, "" .

: content-type, allow-origin, allow-headers ..

, OPTIONS , .

"" .

:

    //The Response object
    $res = $app->response;

    $res->headers->set('Content-Type', 'application/json');
    $res->headers->set('Access-Control-Allow-Origin', 'http://example.com');
    $res->headers->set('Access-Control-Allow-Credentials', 'true');
    $res->headers->set('Access-Control-Max-Age', '60');
    $res->headers->set('Access-Control-Allow-Headers', 'AccountKey,x-requested-with, Content-Type, origin, authorization, accept, client-security-token, host, date, cookie, cookie2');
    $res->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');

    if ( ! $req->isOptions()) {
        // this continues the normal flow of the app, and will return the proper body
        $this->next->call();
    } else {
        //stops the app, and sends the response
        return $res;
    }

:

  • : "Access-Control-Allow-Credentials" = true , "Access-Control-Allow-Origin" "*", ! ( :/)

  • , "Access-Control-Allow-Headers" ,

0

php .

header("Access-Control-Allow-Origin: *");

header("Access-Control-Allow-Headers: Content-Type, origin");
0

More articles:


All Articles