11
I am creating an app in Phonegap and consumes an API provided through Nodejs. For that to happen, I need Nodejs to accept the CORS.
How do I enable the CORS for Nodejs to accept the request?
3 answers
16
Enabling CORS is a simple matter of adding the header Access-Control-Allow-Origin to your answer. In Node.js, this is done through the method response.setHeader:
response.setHeader("Access-Control-Allow-Origin", "*"); // Permite qualquer site fazer
// requisições Ajax no seu servidor
or:
response.setHeader("Access-Control-Allow-Origin", "http://example.com"); // Domínio(s)
response.setHeader("Access-Control-Allow-Origin", "http://example.net"); // específico(s)
That answer in the SOEN has more details if needed. To examine the options that CORS offers (including others headers you may want to add) suggest this tutorial (note: in English). In summary:
Access-Control-Allow-Credentials: causes cookies to be passed along with a CORS request (by default, they are not);Access-Control-Expose-Headers: allows the code making the CORS request to access other types of headers in addition to the most common.
6
In addition to @mgibsonbr, about response.setHeader("Access-Control-Allow-Origin", "*"); and the Access-Control-Allow-Credentials, if you make requests in addition to GET, such as POST, PUT, DELETE or even some custom method, it will be easy to define one to two additional headers.
Both the reference in Html5rocks and a second question just below the aforementioned that @mgibsonbr commented on them. I make a point of commenting on this here because it has already given me a huge headache when working with phantomjs and random errors with unclear error messages.
Access-Control-Allow-Methods
For methods other than GET, it will be mandatory for the server to say which methods it accepts, something like
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
//res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
If you have errors, add OPTIONS as well. In some well, complicated situations debugging your browser may make an OPTIONS request before the request it was actually asked to make.
Access-Control-Allow-Headers
Also, if you use any unusual header, it is interesting that your server responds that such header can be used.
res.header('Access-Control-Allow-Headers', 'Content-Type, X-Custom-Header');
Since some types of headers can be used maliciously, browsers may block you from sending an unusual header. Reusing an Xmlhttprequest object and accidentally sending an unwanted header will cause error. Be careful with this.
Debug
Postman is worth using (http://www.getpostman.com/) to debug your tests. It is very intuitive and flexible. Another tool that is hand on wheel is to use Curl when to inspect your server’s raw response.
If you still have problems, make sure to log your Nodejs server ALL type of request to see if your application is not doing something implicit, such as an OPTIONS request, and you have an unclear error message.
0
You can use the middleware https://npmjs.org/package/cors to enable CORS support easily and quickly.
-
Then the solution has already been found without adding any external tool as desired. Thank you.
Browser other questions tagged javascript node.js cors
You are not signed in. Login or sign up in order to post.
In fact, the
OPTIONSis necessary to requisitions preflight. As far as I know, just theGETis exempt from this, so it is important that the server supportsOPTIONSif theAccess-Control-Allow-Methods. I just don’t know if it makes sense to add that to the allow methods - since that header is sent as reply to a requestOPTIONS...– mgibsonbr
I have to do more tests here. But I’m pretty sure I once solved the problem with phantomjs by also including the
OPTIONSin theAccess-Control-Allow-Methods– Emerson Rocha