CORS, appending portnum

dag · September 16, 2014, 11:38am

I have my dsp setup at dsp.foo.com:8080.
I have my webfiles hosted at dev.foo.com (same server).

The error: XMLHttpRequest cannot load http://dsp.foo.com:8080/rest/api_docs. The ‘Access-Control-Allow-Origin’ header has a value ‘http://dev.foo.com:8080’ that is not equal to the supplied origin. Origin ‘http://dev.foo.com’ is therefore not allowed access.

In the dsp-config I have setup CORS with * for all methods (and enabled).

The problem is that the Access-Control-Allow-Origin automatically appends the portnumber of the dsp (:8080) and therefore the origin is not the same. But I never try to access the dsp from :8080, its origin is http://dev.foo.com !

If I use curl and forge a request and specify -H ‘Origin: http://dsp.foo.com’ the response is: “Access-Control-Allow-Origin: http://foo.com:8080”. This must clearly be wrong ?

If I specify a custom port it uses this correctly: -H ‘Origin: http://dsp.foo.com:8181’ , response: “Access-Control-Allow-Origin: http://foo.com:8181”

I dont know where to start debugging this, the dreamfactory/htdocs/storage/cors.config.json file is correct.

/Dag

Jason · September 17, 2014, 12:17pm

So you have a reverse proxy, and you’re using one of the javascript SDKs? Is that correct?

dag · September 17, 2014, 12:47pm

no, there is no proxying, the dsp is setup at server:8080 and the web is served from server:80.
When the dsp creates the Access-Control-Allow-Origin header it opens for origin ‘server:8080’ but this fails because the origin is not server:8080 but ‘server’ or ‘server:80’

The Access-Control-Allow-Origin header is set to http://server:8080, when it really should be http://server

I have made a quick dirty workaround in vendor/dreamfactory/lib-php-common-platform/src/Yii/Components/PlatformWebApplication.php to prevent it from appending the dsp-port-nummer to the client-origin.

Jason · September 22, 2014, 1:13am

Which SDK are you using ?

dag · September 22, 2014, 6:53am

This behaviour can be observed sdk-independently with just using curl and setting the Origin-header manually.

My app uses the angular-dreamfactory module.

Mark · October 7, 2014, 4:21pm

Upgrade Notice

Reaching out to let everyone know about the fix in DreamFactory Service Platform version 1.8 has been pushed to github.

DreamFactory Software on Github

There is also the Wiki Upgrade Page where you can find how to upgrade based on your specific OS.

Thanks,

Mark

Topic		Replies	Views
CORS problem after upgrade from 1.6.10 to 1.7.8 App Configuration	8	4064	October 8, 2014
CORS Config using dsp-docker Authentication & Security	6	2777	September 10, 2015
What is the correct CORS entry for limiting an http:// connection to a hosted DSP from a home network? App Configuration	3	2488	July 29, 2015
CORS setting done via DSP admin console: select * from "cors_config" where enabled = 1 not working when using postgresql as system database App Configuration	4	3247	October 12, 2016
Access-Control-Allow-Headers missing on response header hosted on enterprise instance App Configuration	5	4341	August 14, 2017

CORS, appending portnum

Related Topics