Hapi: Preflight CORS issue in Chrome

Created on 23 Dec 2015  路  9Comments  路  Source: hapijs/hapi

I just upgrade from hapi 8.9.0 to hapi 11.1.2 and get a preflight issue in chrome.

XMLHttpRequest cannot load http://localhost:8002/auth/current. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access.

The request is blocked but works in:

[ x ] Firefox (v. 42)
[ x ] IE11
[ ] Chrome (Version 49.0.2599.0 canary (64-bit), Version 47.0.2526.106 m)
[ ] Opera (34.0.2036.25)

Glue confguration:

connections: [{
        labels: ['business'],
        host: Config.server.business.host,
        port: Config.server.business.port,
        routes: {
            cors: true,
            validate: {
                options: {
                    abortEarly: false
                }
            },
            timeout: {
                socket: 11 * 60 * 1000, // Determines how long before closing request socket.
                server: false // Determines how long to wait for server request processing. Disabled by default
            }
        }
    }.....
support
Source
picture StarpTech

Most helpful comment

Ah, this is how (http://stackoverflow.com/questions/36883860/hapi-js-cors-pre-flight-not-returning-access-control-allow-origin-header):

this.server.connection({
      host: '0.0.0.0',
      port: this.config.webservice_port,
      routes: {
        cors: {
          origin: ['*'],
          additionalHeaders: ['token']
        }
      }
    });
picture RichardJECooke on 14 Jul 2016
👍4

All 9 comments

Need more information. Ideally some curl examples showing the specific responses. The new code will tell you the reason cors headers were not included in the error details.

hueniverse picture hueniverse on 23 Dec 2015

XHR in Chrome:

Request URL:http://localhost:8002/auth/current
Request Method:OPTIONS
Status Code:200 OK
Remote Address:127.0.0.1:8002

Response Headers:

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: no-cache
vary: accept-encoding
content-encoding: gzip
Date: Wed, 23 Dec 2015 18:15:56 GMT
Connection: keep-alive
Transfer-Encoding: chunked

Request Headers:

OPTIONS /auth/current HTTP/1.1
Host: localhost:8002
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
Origin: http://localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2599.0 Safari/537.36
Access-Control-Request-Headers: accept, accept-language, authorization, content-type
Accept: */*
DNT: 1
Referer: http://localhost:8000/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,de;q=0.4,nb;q=0.2

will be blocked by chrome as

XMLHttpRequest cannot load http://localhost:8002/auth/current. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access.

also setting origins in cors object has no effect.

StarpTech picture StarpTech on 23 Dec 2015

accept-language is not in the default cors list

hueniverse picture hueniverse on 23 Dec 2015

@hueniverse thanks works with 

"cors": {
        "headers": ["Accept", "Authorization", "Content-Type", "If-None-Match", "Accept-language"]
}
StarpTech picture StarpTech on 23 Dec 2015

Hi @StarpTech, I am using AngularJS and Web API and facing same issue. Can you please tell me where you put
: "cors": {
"headers": ["Accept", "Authorization", "Content-Type", "If-None-Match", "Accept-language"]
}?

My $http call:

this.getDdlData = function (type) {
return $http({
method: 'GET',
withCredentials: true,
data: 'jsonp',
url: 'http://localhost:54004/api/ApiCommons/' + type + '/' + $('#hdnUserId').val()
});
}

My Web API. config:

var cors = new EnableCorsAttribute("_", "_", "*");
cors.SupportsCredentials = true;
config.EnableCors(cors);

My Api method :

[ResponseType(typeof(Common))]
[Route("api/ApiCommons/{type}/{windowsId}")]
public List Get(string type, string windowsId){

}

ghost picture ghost on 13 Jun 2016

@dhiraj1mumbai This is not a .NET support forum, please ask your questions in more appropriate places.

Marsup picture Marsup on 13 Jun 2016

Where does "cors": { "headers": go please?

I thought this was how you do cors:

server.connection({ port: 3000, routes: { cors: true } });

RichardJECooke picture RichardJECooke on 14 Jul 2016

Ah, this is how (http://stackoverflow.com/questions/36883860/hapi-js-cors-pre-flight-not-returning-access-control-allow-origin-header):

this.server.connection({
      host: '0.0.0.0',
      port: this.config.webservice_port,
      routes: {
        cors: {
          origin: ['*'],
          additionalHeaders: ['token']
        }
      }
    });
RichardJECooke picture RichardJECooke on 14 Jul 2016
👍4

Having the same issue as OP, however stated fix did not work for me. Found success using: https://www.npmjs.com/package/hapi-cors-headers

karn09 picture karn09 on 8 Sep 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mahnunchik picture mahnunchik  路  4Comments
jeremiahlee picture jeremiahlee  路  4Comments
taoeffect picture taoeffect  路  3Comments
jeffbski picture jeffbski  路  5Comments
RohovDmytro picture RohovDmytro  路  4Comments