CORS pre-flight comes back with Access-Control-Allow-Origin:*, browser still fails request
change your Access-Control-Allow-Methods: 'GET, POST' to 'GET, POST, PUT, DELETE'
before:
app.use(function(req, res, next) { res.setHeader('Access-Control-Allow-Origin', '*'); res.setHeader('Access-Control-Allow-Methods', 'GET, POST'); res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization'); next(); });
After:
app.use(function(req, res, next) { res.setHeader('Access-Control-Allow-Origin', '*'); res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT ,DELETE'); res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization'); next();});
I recently had the same issue. The problem is that the Access-Control-Allow-Origin
header (and, if you use it, the Access-Control-Allow-Credentials
header) must be sent in both the preflight response and the actual response.
Your example has it only in the preflight response.
Is your web server/get function ALSO including the HTTP header: Access-Control-Allow-Origin? I eventually found success with that addition, using AngularJS 1.0.7 and a remote Java servlet. Here is my Java code snippet--no changes were required in AngularJS client:
Servlet:
@Overrideprotected void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Send Response super.doOptions(request, response); response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Requested-With");}@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { /* ... */ response.setHeader("Access-Control-Allow-Origin", "*");}
A more elegant alternative is a servlet filter.