none
CORS Preflight call is not followed with the GET call RRS feed

  • Question

  • My JavaScript code in the App for Excel needs to make the following GET Ajax call to a REST service:

    jQuery.support.cors = true;
    $
    .ajax({
        type
    : "GET",
        url
    : "https://serverdomain.com/serviceurl,
        cache: false,
        dataType: "
    json",
        timeout: 5000,
        crossDomain: true,
        headers: { 'Authorization': 'Bearer ' + access_token },
        success: function (data) {
            renderInfo(data);
        },
        error: function (jqxhr, textStatus, error) {
            ...
        }
    });

    The following CORS preflight call is triggered because of the Authorization HTTP header.

    OPTIONS https://stcuatsoagw51.uatingdircan.ca:8443/v1/customers/my/?_=1390845096145 HTTP/1.1
    Accept: */*
    Origin: https://localhost:44300
    Access-Control-Request-Method: GET
    Access-Control-Request-Headers: accept, authorization
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
    Host: stcuatsoagw51.uatingdircan.ca:8443
    Content-Length: 0
    DNT: 1
    Connection: Keep-Alive
    Cache-Control: no-cache

    I changed the server side to return the following response to the OPTIONS call:

    HTTP/1.1 200 OK

    Server: Apache-Coyote/1.1

    Access-Control-Allow-Headers: *

    Access-Control-Allow-Methods: GET, PUT, POST, DELETE

    Access-Control-Allow-Credentials: true

    Access-Control-Allow-Origin: *

    Content-Encoding: gzip

    Content-Type: text/xml;charset=UTF-8

    Content-Length: 27

    Date: Mon, 27 Jan 2014 17:51:37 GMT

    The response is essentially to allow all types of CORS calls. However, the browser seems to stop after receiving the OPTIONS call response and doesn't proceed to send out the original GET call.

    Am I missing anything in the response to the OPTIONS call?

    Monday, January 27, 2014 6:14 PM

Answers

  • Found the reason ... I need to get rid of the two wildcards in my response headers, Access-Control-Allow-Headers and Access-Control-Allow-Origin.
    Monday, January 27, 2014 9:49 PM