New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS Header issue: Duplicate Access-Control headers in REST API "OPTIONS" method #22
Comments
Hello Daniel,
|
Your solutions are rather complex. We don't need such a complexity. |
Maybe this works? header_remove("Access-Control-Allow-Origin");
header("Access-Control-Allow-Origin: ".strip_tags(((isset($_SERVER['HTTP_ORIGIN'])) ? $_SERVER['HTTP_ORIGIN'] : "*"))); |
Unfortunately ist does not help to remove the header first. |
Does it make sence to only use the access headers if POST/PUT/DELETE request? |
I have no experience with CORS, so I leave the decision to you. I would like that the whole CORS stuff is located in one single method and that this method is only called once. I need to have a set of good values (see my table above), and these set of values should be in that method. And then, I will make sure that this method is only called once (I will take care of it) I also need your reproduction in re #21 so that we can find out why your have duplicate headers and I not. Please quickly add a test debug output to the CORS output methods to check if they are indeed called twice. |
I simplify my question: This page https://stackoverflow.com/questions/12630231/how-do-cors-and-access-control-allow-headers-work recommends to set I am very confused about all these paramters, and I need your help. At the moment your replies didn't help me unfortunately... |
Ok, sorry! The js-console printed out that the header is dublicate, although if the function might work if called only once, my settings don't look correct! I will notify you in the evening when my tests and reports are complete. |
Hallo Daniel, Access to XMLHttpRequest at 'https://webfan.de/apps/registry/plugins/viathinksoft/publicPages/100_whois/whois/webwhois_original.php?query=weid%3AEXAMPLE-3$format=json' from origin 'https://frdlweb.de' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://frdlweb.de, https://frdlweb.de', but only one is allowed. |
One possible bug found in REST API:
OIDplusPagePublicRestApi::handle404()
callsoriginHeaders()
.If REST is called with the request method "OPTIONS", then
restApiCall_OPTIONS()
will additionally send some of these headers.(Note: At least for IIS, the software seems to swallow the "OPTIONS" method and not forward it to PHP. I wonder if any software forwards "OPTIONS" to PHP?!)
Here is the comparison of the contents:
We should remove all headers from
OIDplusPagePublicRestApi::handle404()
(exceptAccess-Control-Allow-Methods
) and instead merge them intooriginHeaders()
.@wehowski Since there are some differences in the values and I don't have much knowledge about CORS, I ask you to take a look and help me with the fix (after all, you are the author of
originHeaders()
). Thank you very much.The text was updated successfully, but these errors were encountered: