'cross domain event source
I am trying to create an EventSource server using nodejs, that will server requests cross domain. I am sending back Access-Control-Allow-Origin header, but the browser (nor Chrome or Opera) won`t let me connect. There are the headers I send back:
this._response.writeHead(200, {
'Content-Type': 'text/event-stream',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive',
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Credentials': 'true'
});
How can I do this the right way?
Regards
Solution 1:[1]
Allow-Credentials cannot be used with Allow-Origin set to *.
Consider writing the received Origin-header in your response.
Solution 2:[2]
see https://github.com/Yaffle/EventSource - polyfill can be adopted to support CORS for Firefox, Webkit and IE 8+
Solution 3:[3]
Try the following block in place of yours. The browser will call one time with OPTIONS and then the request will be made as expected after that.
You won't need the if statement if you have broken out the request methods - but I wanted to give you a full block just in case you're hosting it like the Hello World example did.
if (req.method === "OPTIONS") {
console.log('!OPTIONS');
var headers = {};
// IE8 does not allow domains to be specified, just the *
// headers["Access-Control-Allow-Origin"] = req.headers.origin;
headers["Access-Control-Allow-Origin"] = "*";
headers["Access-Control-Allow-Methods"] = "POST, GET, PUT, DELETE, OPTIONS";
headers["Access-Control-Allow-Credentials"] = false;
headers["Access-Control-Max-Age"] = '86400'; // 24 hours
headers["Access-Control-Allow-Headers"] = "X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept";
res.writeHead(200, headers);
res.end();
}
Solution 4:[4]
You get Security Exception (SECURITY_ERR: DOM Exception 18) if you are using cross domain resources. This could be due to :
- trying to access local resources via
file://(local files not served via node server) or - trying to access resources from another server that does not allow CORS or
- maybe you are testing the page from the local file instead of from the URL served from your node server.
Solution 5:[5]
Note: When responding to a credentialed requests request, the server must specify an origin in the value of the
Access-Control-Allow-Originheader, instead of specifying the "*" wildcard.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
So:
res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
res.setHeader('Access-Control-Allow-Credentials', 'true')
(server-side)
if client's origin (req.headers.origin) is trusted.
Or simply set {withCredentials: false} (client-side) and use res.setHeader('Access-Control-Allow-Origin', '*') if you don't need it.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Mir-Ismaili |
| Solution 2 | 4esn0k |
| Solution 3 | Mike Perrenoud |
| Solution 4 | user568109 |
| Solution 5 |