CORS issue on simulator

ramashishb · March 19, 2019, 5:34pm

Hi,

I am running into CORS issue on Android simulator. I have set ‘Accests-Control-Allow-Origin’ to ‘*’ to enable CORS on my APIs, but am getting the following error:

A wildcard ‘*’ cannot be used in the ‘Access-Control-Allow-Origin’ header when the credentials flag is true. Origin ‘http://localhost’ is therefore not allowed access

I am using {withCredentials: true} in the post method, without this the HTTP session on my server didn’t seem to work.

My environment:

cli packages: (/usr/lib/node_modules)

@ionic/cli-utils  : 1.19.2
ionic (Ionic CLI) : 3.20.0

global packages:

cordova (Cordova CLI) : 8.0.0

local packages:

@ionic/app-scripts : 3.2.1
Cordova Platforms  : android 7.0.0
Ionic Framework    : ionic-angular 3.9.3

System:

Android SDK Tools : 26.1.1
Node              : v8.14.0
npm               : 6.4.1 
OS                : Linux 4.10

Environment Variables:

ANDROID_HOME : /home/ramashishb/Android/Sdk

Misc:

backend : pro

Any idea whats wrong?

Thanks,
Ramashish

sisdev · March 19, 2019, 11:48pm

Hi,

I don’t know how you handle requests on your server but I’ll do it like the code below:

Server(*.php file)

function checkCORS() {
	if (isset($_SERVER['HTTP_ORIGIN']) && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
		header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
		header('Access-Control-Allow-Credentials: true');
		header('Access-Control-Max-Age: 86400');    // cache for 1 day
		header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
		header('Access-Control-Allow-Headers: X-Requested-With, Content-Type, X-API-TOKEN');

		if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') return true;
		else {
			if (isset($_SERVER['HTTP_X_API_TOKEN']) && $_SERVER['HTTP_X_API_TOKEN'] == 'WHATEVERYOUSENDFROMAPP') return true;
			else return false;
		}
	} else return false;
}

And my .ts file sends this:

this.http.post(`${this.serverUrl}`, {uuid: this.device.uuid, model: this.device.model}, {headers: this.headers})
.subscribe(response => {
       console.log(response);
});

private headers = new HttpHeaders({
      'X-API-TOKEN': 'WHATEVERYOUSENDFROMAPP'
});

You don’t have to use the X-API-TOKEN neither on client nor on server.

Hope this helps you.

Cheers

ramashishb · March 20, 2019, 3:45am

Thank you very much. It helped. I was missing Access-Control-Allow-Credentials header.

Ramashish