I cannot complete a cross-domain request with an authorization header (testing using Firefox). I have requests that work without authentication, but as soon as I set withCredentials to true, I can no longer read the response from the server.
On the server, I send these headers (using the after_request method in Flask):
resp.headers['Access-Control-Allow-Origin'] = '*' resp.headers['Access-Control-Allow-Credentials'] = 'true' resp.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS' resp.headers['Access-Control-Allow-Headers'] = 'Authorization'
No OPTIONS call is actually made by Firefox. On the client, I call the XMLHttpRequest call:
var xhr = new XMLHttpRequest() xhr.open( 'POST', 'http://test.local:8002/test/upload', true) xhr.withCredentials = true xhr.onreadystatechange = function() { console.log( xhr.status, xhr.statusText ) } xhr.send(fd)
Without withCredentials set, the log statement will write pending information to the console. As soon as I set the value, however xhr does not allow access, and I just write the value 0 and an empty string. I did not set an authorization header here, but this should not affect my ability to read the result.
If I try to add the username / password to the "open" command, I get the error NS_ERROR_DOM_BAD_URI: Access to restricted URI denied .
What am I doing wrong?
edA-qa mort-ora-y Feb 18 '14 at 10:12 2014-02-18 10:12
source share