Core: Impossible to send Authorization headers
Home Assistant release with the issue:
0.82.1
Last working Home Assistant release (if known):
Operating environment (Hass.io/Docker/Windows/etc.):
Hass.io
Component/platform:
http
Description of problem:
I tried to use api in react application using axios :
import axios from "axios";
axios.get("http://my-hassio-instance/api/states", {
headers: {
"Authorization": "Bearer xxxx"
}
});
But I have this error on preflight request (OPTIONS) :
CORS preflight request failed: headers are not allowed: AUTHORIZATION
Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):
api:
frontend:
http:
# Secrets are defined in the file secrets.yaml
api_password: !secret http_password
cors_allowed_origins:
- http://localhost:3001
The react app is running on 3001 port on localhost
Traceback (if applicable):
Additional information:
I think Authorization headers must be allowed in cors file
ALLOWED_CORS_HEADERS = [
ORIGIN, ACCEPT, HTTP_HEADER_X_REQUESTED_WITH, CONTENT_TYPE,
HTTP_HEADER_HA_AUTH]
piitaya
All 3 comments
Can you please retry this on 83+?
marchingphoenix
on 14 Dec 2018
Same issue on 0.84.1
piitaya
on 14 Dec 2018
The correct way is to not require authorization on pre-flight because the browsers doesn't support adding auth headers on OPTIONS pre-flight.
See this: https://stackoverflow.com/questions/15734031/why-does-the-preflight-options-request-of-an-authenticated-cors-request-work-in
Would it be ok if I create a PR for this?
fondberg
on 3 Feb 2019
Related issues
i-am-shodan
路
3Comments
aweb-01
路
3Comments
ofuangka
路
3Comments
moskovskiy82
路
3Comments
sh0rez
路
3Comments
Most helpful comment
The correct way is to not require authorization on pre-flight because the browsers doesn't support adding auth headers on OPTIONS pre-flight.
See this: https://stackoverflow.com/questions/15734031/why-does-the-preflight-options-request-of-an-authenticated-cors-request-work-in
Would it be ok if I create a PR for this?