No 'Access-Control-Allow-Origin' header is present on the requested resource

So I’m trying to query the “oauth/token” endpoint in Opera via jquery’s ajax code. The call is carrying out 2 requests. The first one is the OPTION request, which returns a 200 and the response data is

access-control-allow-headers: authorization
access-control-allow-origin: *
cache-control: no-cache
content-length: 0
date: Tue, 18 Dec 2018 01:20:31 GMT
expires: -1
pragma: no-cache
server: Microsoft-IIS/8.5
status: 200

So it moves onto the a 2nd request, which fails with a 500 and the error from the title. Is anyone experiencing similar issues?
Sorry I can’t post more details about the 2nd request, but for some reason the forum regards me as a “new user” even though I have been a paying customer for more than 10 years, so apparently i can’t post more than 2 links in the same post.

Never mind. I solved it. After some research I noticed I was mixing flows. As this was going to be a web app just for my usage, I had been sending the base64 code & the other code to the clientside, and attempting the ajax call to continue with the process (I know it’s insecure to send everything to the browser, but because Im planning to be the only user of the app i disregarded the issue). And this security issue was the actual problem. The “Authorisation” header forces the ajax call to perform an OPTION request and then a POST (this last one fails) as it triggers CORS.

So i’ve redesigned it so that I authenticate on the server-side code - this avoids the CORS check.

I have a feeling this Authorisation header being there and forcing the CORS check to fail is intentional and it was put in place this way to discourage people from the insecure practice of sending all the codes to the client-side in case they were coding a public app.


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.