Cross origin

tranthebaocntt31b · February 2, 2015, 10:35am

I have the problems with framework ionic vs angular, I do app demoIonic rest api, use to $http() to using action “post/get/put/delete”, error crros: " XMLHttpRequest cannot load http://localhost/en-us/DesktopModules/plids/API/v1/Mobile/Membership/Login. The request was redirected to ‘https://plids.com/en-us/DesktopModules/plids/API/v1/Mobile/Membership/Login’, which is disallowed for cross-origin requests that require preflight.". I have config:" $httpProvider.defaults.useXDomain = true; delete $httpProvider.defaults.headers.common[‘X-Requested-With’]; " the use to $http. help me!. thank’s you.

Janson · February 2, 2015, 12:32pm

This won’t help. I also tried. Just configure your server to send cross origin headers. In my case I added the following headers:

Access-Control-Allow-Headers:X-Requested-With, content-type
Access-Control-Allow-Methods:POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:*

bengtler · February 2, 2015, 12:46pm

if you want to test this locally your can start your chrome with --disable-web-security parameter.

Apps will not have any issues with cross origin.
Consider if you really want to allow everyone to access your API.

If you are using a nodejs app you can configer cors in there.
https://www.npmjs.com/package/cors

Greetz.

Janson · February 2, 2015, 12:49pm

Starting chrome in disabled security mode is quit annoying doing this every time.

And furthermore if you gonna load something remotely in your final app you will have to set those headers anyway.

bengtler · February 2, 2015, 12:50pm

ähhm you can add the flag to your chrome shortcut?
in windows and linux/mac

The only thing is to keep in mind that the hangouts app starts often some chrome threads on startup without the flag, so you need to kill the processes first

Janson · February 2, 2015, 12:52pm

I pretty much enjoy my easy peasy way

brandyshea · February 2, 2015, 3:06pm

There’s also an extension for Chrome:

alfons12 · February 2, 2015, 3:29pm

What do you exactly mean by this? I understand restricting CORS when for example Microsoft service calls Google’s service so Google permits only Microsoft.com to call it but how does work in case of ionic (client side) app? What do you restrict? Thank you.

bengtler · February 2, 2015, 4:52pm

CORS is something like a security mechanism for servers to only allow to access my content (pages, API-endpoints) only for known machines/hosts.

If you allow everyone ("*") to send requests to my API this could be a potential security risk.
SO you keep thinking, if it is a good idea in your case… especially for productive systems.

Greets, bengtler

alfons12 · February 2, 2015, 5:18pm

Yes, I understand but in case of client side application consuming the API what do you use instead of “*”? It doesn’t have a domain/name. Or I understand it wrong completely.

bengtler · February 2, 2015, 5:27pm

if you build your app and install the apk on your device you will not ran into cors problem.
It does not occur in the app-context.

If you have a website where you need your API -> you can allow that specific host/domain.