Swagger-ui: 302 Redirects that aren't handled don't produce a clear error
I have a 302 redirect in the API and Swagger doesn't handle that. It's not its fault, CORS doesn't support this. You get "XMLHttpRequest cannot load URL. The request was redirected to URL, which is disallowed for corss-origin requests that require preflight."
Not sure whether Swagger can do anything about fixing this, however the error is not properly reported, it just looks like the API succeeded and didn't return a response.
dblock
All 11 comments
This is a design of CORS. We can improve the error messages, though.
fehguy
on 11 Sep 2014
:+1:
dblock
on 11 Sep 2014
Hi, Im seeing this problem too!
Are there any workarounds for this ?
carlskii
on 10 Nov 2014
redirects are now handled automatically, however CORS issues when switching protocols or hosts are not.
fehguy
on 28 Jan 2015
CORS issue can't be solved. JavaScript can never know if a cross origin error was thrown.
mohsen1
on 4 Mar 2015
I realize this is closed, but the solution is fairly straightforward, it also points out a limitation of using curl in swagger-ui (see the followup below).
Just a note that I'm using Camel here...
If you already have a method somewhere to add the CORS headers, then don't use:
HttpServletResponse response = exchange.getIn().getBody(HttpServletResponse.class);
response.sendRedirect(url);
addCorsHeaders(exchange); // a method that does this
Doing this will signal your processing to actually strip out all headers but Location and Content-Length (I think the latter, definitely the former). Instead, handle it manually like this:
HttpServletResponse response = exchange.getIn().getBody(HttpServletResponse.class);
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
exchange.getIn().setHeader(HttpHeaders.LOCATION, url);
addCorsHeaders(exchange); // a method that does this
If you do this then swagger-ui will play nice... sort of, it won't show the 302, because curl will just return the response from the redirect, which in theory will return a 200, so that's what you'll see. Which is sort of what a web browser does, but it's smart enough to note the new URL and the 302 and the 200 - which swagger-ui is not. But that might be because curl obfuscates it.
tperlmutter
on 31 Jul 2015
@tperlmutter If you can PR a fix for this that would be amazing!
dblock
on 3 Aug 2015
I honestly didn't track down why sendRedirect() strips out all other headers, I just know that it's the culprit and the above is the workaround.
tperlmutter
on 4 Aug 2015
I tried the response above, setting Location header for a 303 response, where the Location had a different server name than the incoming request.
It worked with curl, and chrome POSTMAN, but swagger failed.
I added a combination of CORS headers, still did not worked.Using springfox-swagger2/springfox-swagger-ui 2.6.1 and spring 4.2.5.RELEASE.
Is there a set of CORS headers I need to include?
gsbtech
on 31 Aug 2017
Did anyone knows about this issue? I'm facing the same issue with CORS:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://login.microsoftonline.com/key/oauth2/authorize?client_id=client_id&redirect_uri=https%3A%2F%2Flocalhost%3A4409%2Fsignin-oidc
arlan85
on 2 Oct 2018
@arlan85, if you're still having a problem, please open a new issue 馃槃
shockey
on 9 Oct 2018
Related issues
chanurahemal
路
87Comments
reginaldlouis
路
43Comments
azamatsulaiman
路
34Comments
dalbani
路
42Comments
fehguy
路
57Comments