B4J Question Preflight CORS issue

[xulihang]

I started a server with SSL support with the domain pointing to 127.0.0.1.

I've also added the header in the handler:

resp.SetHeader("Access-Control-Allow-Origin","*")
resp.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, HEAD, DELETE, PUT")
resp.setHeader("Access-Control-Max-Age", "3600")
resp.setHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, api_key")

But I am still getting the preflight CORS issue on Chrome.

Access to fetch at 'https://local.basiccat.org:51043/' from origin 'https://ac.qq.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Are there any solutions?

 

[aeric]

Don't confuse SSL and CORS. You should configure CORS before server starts.

 

[xulihang]

Don't confuse SSL and CORS. You should configure CORS before server starts.

I've configured CORS according to this as well: https://www.b4x.com/android/forum/threads/banano-b4j-the-dreaded-cors-exception-solved.141890/

Curl result:

curl https://local.basiccat.org:51043/translate                                                                                           
StatusCode        : 200
StatusDescription : OK
Content           : no imagetrans is connected
RawContent        : HTTP/1.1 200 OK
                    Access-Control-Allow-Origin: *
                    Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
                    Access-Control-Max-Age: 3600
                    Access-Control-Allow-Headers: Access-Control-Allow-Headers...
Forms             : {}
Headers           : {[Access-Control-Allow-Origin, *], [Access-Control-Allow-Methods, POST, GET, OPTIONS, DELETE, PUT],
                    [Access-Control-Max-Age, 3600], [Access-Control-Allow-Headers, Access-Control-Allow-Headers, Origin, Accept,
                    X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization,
                    api_key]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 26

 

[aeric]

I can't help. Maybe try using the latest jServer library.

 

[alwaysbusy]

How does your ConfigureCORS() call look like?

 

[xulihang]

How does your ConfigureCORS() call look like?

I use "*":

ConfigureCORS("/*", "*", "*", "*")

 

[xulihang]

After changing it to the following:

ConfigureCORS("/*", "*", "GET,POST,HEAD,OPTIONS", "X-Requested-With,Content-Type,Accept,Origin")

I got another error:

Access to fetch at 'https://local.basiccat.org:51043/translate' from origin 'https://www.basiccat.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Private-Network' header was present in the preflight response for this private network request targeting the `local` address space.

 

[xulihang]

By disabling chrome://flags/#private-network-access-respect-preflight-results, I got it to work. I still have to find a way to use it without manually disabling this.

 

[alwaysbusy]

* should work as that would open up everything I would think. But it looks like the 'Access-Control-Allow-Private-Network' header is not yet supported by Jetty: https://github.com/eclipse/jetty.project/issues/7642

You may have to use some kind of proxy like NGinx or HAProxy to get CORS to a local working.

By disabling chrome://flags/#private-network-access-respect-preflight-results

Yeah, this works for development, but you can't ask your users to do this.

 

[alwaysbusy]

Just to check, but you have a FILTER (not handler) that does something like this, right?

resp.ContentType = "application/json"
resp.SetHeader("Access-Control-Allow-Origin","*")
resp.SetHeader("Access-Control-Allow-Methods" ,"GET, POST, UPDATE, DELETE, OPTIONS")
resp.SetHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, api_key") '<-------- change to whatever you need
If req.Method = "OPTIONS" Then
       Return True
End If
resp.SetHeader("X-Frame-Options", "DENY")
resp.SetHeader("X-XSS-Protection", "1;mode=block")
resp.SetHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains;preload")
resp.SetHeader("X-Content-Type-Options", "nosniff")
resp.SetHeader("Referrer-Policy", "no-referrer-when-downgrade")
resp.SetHeader("Content-Security-Policy", "script-src https://api.yourdomain.com") ' <-------------------- change to what it is for you
resp.SetHeader("Feature-Policy", "microphone 'none'")

 

[xulihang]

'Access-Control-Allow-Private-Network' header is not yet supported by Jetty: https://github.com/eclipse/jetty.project/issues/7642

I managed to make it work using a filter.

'Filter class
Sub Class_Globals
   
End Sub

Public Sub Initialize
   
End Sub

'Return True to allow the request to proceed.
Public Sub Filter(req As ServletRequest, resp As ServletResponse) As Boolean
    resp.SetHeader("Access-Control-Allow-Private-Network","true")
    Return False
End Sub

 

[alwaysbusy]

Nice, looks like they did fix the issue then

 

[MichalK73]

I also had problems with CORS locally.
I use it for local tests

1. start the browser with security disabled.
brave.exe --disable-web-security --user-data-dir="d:\banano\temp"

https://www.b4x.com/android/forum/t...ailwindcss-ui-toolkit-q-a.144271/#post-921236