XHR doesn't work because "Origin is not allowed by Access-Control-Allow-Origin"
I'm working on a API-Server with Rails 3 wich is pretty handy so far but I'm running across a error all the time and I'm not sure wether it is because of my Apache Setup or the Rails App.
When I try to do a HTTP DELETE or PUT request on http://sample.domain/uri/id via XHR, curl or HTTP-Client.app Rails or Apache responds with 404 or 403 (depends on the client. I think because of cors) and the Safari developer console responds with
XMLHttpRequest cannot load http://sample.domain/uri/id. Origin http://web.client/ is not allowed by Access-Control-Allow-Origin.
I'm using mod_rack aka mod_rails on a Apache2 and my vhost actually contai开发者_StackOverflow社区ns this:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods POST,GET,DELETE,PUT,OPTIONS
Header set Access-Control-Allow-Headers X-Requested-With
The Apache error_log responds with the following error:
[Sat Oct 30 01:37:34 2010] [error] [client 22.222.222.22] client denied by server configuration: /path/to/rails/folder/public, referer: http://web.client/
Rails development.log responds with
Started OPTIONS "/uri/id" for 84.190.123.140 at 2010-10-30 03:18:42 +0200
ActionController::RoutingError (No route matches "/uri/id"):
And here I'm nor sure why the OPTIONS call comes trough because I thought this would only be the preflight and for sure there is no route for OPTIONS because I want to respond to DELETE
If you have any idea on how to fix this problem please share it with me.
Thank you very much David
In *nix systems you need first to include/enable "Headers" module in apache
sudo a2enmod headers
then, you need to include in your vhost the following line :
Header set Access-Control-Allow-Origin: "*"
You need to respond to the OPTIONS method. It is sent before the actual DELETE method to determine if sending a DELETE command is allowed - known as preflighting. You can control how long the permissions are valid with a Access-Control-Max-Age header.
In your response to OPTIONS is where you send the Access-Control-Allow-Origin, etc.
Imagine if that wasn't the case. You'd be sending ACAO after you've already deleted the object. Which may or may not have been allowed.
For the origin server it is often best to either create an actual white list of servers that can post/delete, or parrot back the requesting server's domain name. A "*" essentially disables CORS and opens up the user to all sorts of attacks.
That sounds like a different issue.
You're doing the correct thing regarding the headers for CORS. Something else in your Apache configuration is denying the client. Apache doesn't care about same-origin policy at all, so your "client denied by server configuration" error will be because of an incorrect Access
directive or something similar.
As suggested, make sure you can curl -X OPTIONS http://sample.domain/uri/id
first.
精彩评论