Preflight CORS problem


#1

Hello,

I create an Angular App. When the user is not log-in (or the local stored access token is no more valid) the app send an /authorize to an Slim Framework API.

This API verifies different values and tries to redirect to a login page. But the flow is broken by Chrome. The following error is shown in the browser:

Access to XMLHttpRequest at ‘’ (redirected from '‘) from origin ‘null’ has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

I test with curl the preflight endpoint that send Angular and I get the following:

HTTP/1.1 200 OK
Date: Tue, 29 Jan 2019 18:28:46 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.2.6
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Also with curl the post get the following result:

HTTP/1.1 302 Found
Date: Tue, 29 Jan 2019 18:30:07 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.2.6
Location: http://localhost:4201/#/auth?client-id=dad8af7d-a83e-4fcf-9c24-d937e6852c73&redirect-uri=https%3A%2F%2Flocalhost%3A4200&state=3yMmpkrMyf7kc4NP9DkYHE&nonce=1iJawMTOWRz2H38e2chQ5h&code=6QNFD31ZR3xvXX8MVwobW9
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=UTF-8

What is wrong?

Best regards

AlfredoDS


#2

I’ve seen a similar problem with a React app that I built a couple of years ago. As I recall the solution was to allow an OPTIONS route on the same URL