CORS, appending portnum


#1

I have my dsp setup at dsp.foo.com:8080.
I have my webfiles hosted at dev.foo.com (same server).

The error: XMLHttpRequest cannot load http://dsp.foo.com:8080/rest/api_docs. The ‘Access-Control-Allow-Origin’ header has a value ‘http://dev.foo.com:8080’ that is not equal to the supplied origin. Origin ‘http://dev.foo.com’ is therefore not allowed access.

In the dsp-config I have setup CORS with * for all methods (and enabled).

The problem is that the Access-Control-Allow-Origin automatically appends the portnumber of the dsp (:8080) and therefore the origin is not the same. But I never try to access the dsp from :8080, its origin is http://dev.foo.com !

If I use curl and forge a request and specify -H ‘Origin: http://dsp.foo.com’ the response is: “Access-Control-Allow-Origin: http://foo.com:8080”. This must clearly be wrong ?

If I specify a custom port it uses this correctly: -H ‘Origin: http://dsp.foo.com:8181’ , response: “Access-Control-Allow-Origin: http://foo.com:8181

I dont know where to start debugging this, the dreamfactory/htdocs/storage/cors.config.json file is correct.

/Dag


#2

So you have a reverse proxy, and you’re using one of the javascript SDKs? Is that correct?


#3

no, there is no proxying, the dsp is setup at server:8080 and the web is served from server:80.
When the dsp creates the Access-Control-Allow-Origin header it opens for origin ‘server:8080’ but this fails because the origin is not server:8080 but ‘server’ or ‘server:80’

The Access-Control-Allow-Origin header is set to http://server:8080, when it really should be http://server

I have made a quick dirty workaround in vendor/dreamfactory/lib-php-common-platform/src/Yii/Components/PlatformWebApplication.php to prevent it from appending the dsp-port-nummer to the client-origin.


#4

Which SDK are you using ?


#5

This behaviour can be observed sdk-independently with just using curl and setting the Origin-header manually.

My app uses the angular-dreamfactory module.


#6

Upgrade Notice

Reaching out to let everyone know about the fix in DreamFactory Service Platform version 1.8 has been pushed to github.

DreamFactory Software on Github

There is also the Wiki Upgrade Page where you can find how to upgrade based on your specific OS.

Thanks,

  • Mark

CORS problem after upgrade from 1.6.10 to 1.7.8
Dreamfactory Service Platform Version 1.8