CORS on Nodejs without the use of Frameworks

Asked

Viewed 8,084 times

11

I am creating an app in Phonegap and consumes an API provided through Nodejs. For that to happen, I need Nodejs to accept the CORS.

How do I enable the CORS for Nodejs to accept the request?

3 answers

16


Enabling CORS is a simple matter of adding the header Access-Control-Allow-Origin to your answer. In Node.js, this is done through the method response.setHeader:

response.setHeader("Access-Control-Allow-Origin", "*"); // Permite qualquer site fazer
                                                        // requisições Ajax no seu servidor

or:

response.setHeader("Access-Control-Allow-Origin", "http://example.com"); // Domínio(s)
response.setHeader("Access-Control-Allow-Origin", "http://example.net"); // específico(s)

That answer in the SOEN has more details if needed. To examine the options that CORS offers (including others headers you may want to add) suggest this tutorial (note: in English). In summary:

  • Access-Control-Allow-Credentials: causes cookies to be passed along with a CORS request (by default, they are not);
  • Access-Control-Expose-Headers: allows the code making the CORS request to access other types of headers in addition to the most common.

6

In addition to @mgibsonbr, about response.setHeader("Access-Control-Allow-Origin", "*"); and the Access-Control-Allow-Credentials, if you make requests in addition to GET, such as POST, PUT, DELETE or even some custom method, it will be easy to define one to two additional headers.

Both the reference in Html5rocks and a second question just below the aforementioned that @mgibsonbr commented on them. I make a point of commenting on this here because it has already given me a huge headache when working with phantomjs and random errors with unclear error messages.

Access-Control-Allow-Methods

For methods other than GET, it will be mandatory for the server to say which methods it accepts, something like

res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');

//res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');

If you have errors, add OPTIONS as well. In some well, complicated situations debugging your browser may make an OPTIONS request before the request it was actually asked to make.

Access-Control-Allow-Headers

Also, if you use any unusual header, it is interesting that your server responds that such header can be used.

res.header('Access-Control-Allow-Headers', 'Content-Type, X-Custom-Header');

Since some types of headers can be used maliciously, browsers may block you from sending an unusual header. Reusing an Xmlhttprequest object and accidentally sending an unwanted header will cause error. Be careful with this.

Debug

Postman is worth using (http://www.getpostman.com/) to debug your tests. It is very intuitive and flexible. Another tool that is hand on wheel is to use Curl when to inspect your server’s raw response.

If you still have problems, make sure to log your Nodejs server ALL type of request to see if your application is not doing something implicit, such as an OPTIONS request, and you have an unclear error message.

  • In fact, the OPTIONS is necessary to requisitions preflight. As far as I know, just the GET is exempt from this, so it is important that the server supports OPTIONS if the Access-Control-Allow-Methods. I just don’t know if it makes sense to add that to the allow methods - since that header is sent as reply to a request OPTIONS...

  • I have to do more tests here. But I’m pretty sure I once solved the problem with phantomjs by also including the OPTIONS in the Access-Control-Allow-Methods

0

  • Then the solution has already been found without adding any external tool as desired. Thank you.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.