Cross origin

I have the problems with framework ionic vs angular, I do app demoIonic rest api, use to $http() to using action “post/get/put/delete”, error crros: " XMLHttpRequest cannot load http://localhost/en-us/DesktopModules/plids/API/v1/Mobile/Membership/Login. The request was redirected to ‘’, which is disallowed for cross-origin requests that require preflight.". I have config:" $httpProvider.defaults.useXDomain = true; delete $httpProvider.defaults.headers.common[‘X-Requested-With’]; " the use to $http. help me!. thank’s you.

This won’t help. I also tried. Just configure your server to send cross origin headers. In my case I added the following headers:

Access-Control-Allow-Headers:X-Requested-With, content-type
Access-Control-Allow-Methods:POST, GET, PUT, DELETE, OPTIONS

1 Like

if you want to test this locally your can start your chrome with --disable-web-security parameter.

Apps will not have any issues with cross origin.
Consider if you really want to allow everyone to access your API.

If you are using a nodejs app you can configer cors in there.



Starting chrome in disabled security mode is quit annoying doing this every time.

And furthermore if you gonna load something remotely in your final app you will have to set those headers anyway.

1 Like

ähhm you can add the flag to your chrome shortcut?
in windows and linux/mac :wink:

The only thing is to keep in mind that the hangouts app starts often some chrome threads on startup without the flag, so you need to kill the processes first

1 Like

I pretty much enjoy my easy peasy way :smiley: :sunny:

There’s also an extension for Chrome:

1 Like

What do you exactly mean by this? I understand restricting CORS when for example Microsoft service calls Google’s service so Google permits only to call it but how does work in case of ionic (client side) app? What do you restrict? Thank you.

1 Like

CORS is something like a security mechanism for servers to only allow to access my content (pages, API-endpoints) only for known machines/hosts.

If you allow everyone ("*") to send requests to my API this could be a potential security risk.
SO you keep thinking, if it is a good idea in your case… especially for productive systems.

Greets, bengtler

Yes, I understand but in case of client side application consuming the API what do you use instead of “*”? It doesn’t have a domain/name. Or I understand it wrong completely.

if you build your app and install the apk on your device you will not ran into cors problem.
It does not occur in the app-context.

If you have a website where you need your API -> you can allow that specific host/domain.

1 Like